Thousands of CRA Employees Fooled in Phishing Test

12 June 2015

Most people probably think they can detect a phishing scam attempt, especially employees at major government agencies, who need to be particularly cautious about security. However, a recent test carried out by the Canada Revenue Agency (CRA) determined that only about 78 percent of CRA employees successfully identified a test phishing email.

According to the Globe and Mail, the CRA sent a fake phishing email to 16,000 of its employees between January and March of 2015 to test the agency’s level of susceptibility to phishing attacks. The results were not particularly encouraging: although 78 percent of CRA employees recognized the email as a scam and avoided clicking on the link, 22 percent, or about 3,500, didn't notice. What’s more, the employees were forewarned that the test would be taking place, so they should have been more alert and on the lookout for scam emails than they would have been otherwise.

According to the CRA, the test email was made to look like it had come from an internal source, but included enough hints, such as contradictory information, that it should have been recognizable as a phishing attempt. According to Professor David Skillicorn of the Queen’s University School of Computing, it’s common for scammers to attempt to make it look like their emails are coming from inside an organization so that they are subjected to less scrutiny than if they came from an outside source.

“The real test is the sophistication of the e-mail itself,” he told the Globe and Mail.

Although organizations like the CRA have extensive firewalls and other security protections to keep their information from being stolen by viruses contained in malicious links, these are not always foolproof. In fact, in 2014 the CRA fell victim to the Heartbleed bug, causing the agency to delay the deadline for tax filing.

Meanwhile, individuals are apparently no better than government agencies at recognizing phishing attempts when they see them. According to an experiment conducted by Intel in early 2015 where participants were presented with 10 emails and asked to determine which were legitimate and which were phishing scams, 97 percent of people worldwide failed to identify every phishing scam email.

Data from 19,000 respondents in 144 countries was included in the study, and Canadians ranked 26th worldwide in terms of their ability to detect spam emails. Although Canada came in ahead of the U.S., this is still a fairly low ranking, far below the top 5, which was made up of France, Sweden, Hungary, the Netherlands and Spain.

The study also disproved the idea that younger people are better at recognizing online scams. The age group between 35 and 44 performed the best of any demographic, guessing 68 percent correctly on average. The lowest-performing group was women under 18, indicating that better online security education for teenagers may be necessary.

Phishing attacks can lead to identity theft. To protect yourself, sign up for acredit monitoring service that can alert you to certain types of activity on your credit file that may indicate fraud.