The country's largest insurer is sending fake phishing emails to its own staff. Not to scam them into giving back their wages, but to test them on their cyber security awareness.
Mark Knowles, director of cyber security and risk at IAG New Zealand, said the firm began sending fake emails several months ago as part of a company-wide approach to cyber security and awareness of online scams.
ALl of IAG’s 3500 staff are sent a phishing email once a month, and those who click on links are then sent an instant reminder to undertake cyber security training. It’s a great way to get employees clued up, but could be pretty embarrassing for those employees when they realise. Still, better safe and sheepish than legitimately attacked.
Knowles said they began the programme with an easy scam - an email about a turkey recipe for the American holiday Thanksgiving.
"We started with something quite simple,” he says.
Not many people fell for the first one but the second scam, which was more elaborate, got a few bites.
Knowles would not say how many staff were tricked into clicking the second time around, citing security reasons.
"I'm not too keen to let people know how many people clicked on the phishing email. The number to start with was really low,” he says.
“The more important part was that it raised awareness across all staff not just about phishing emails but security."
It also prompted more people to click on its internal cyber security warning button which automatically sends a notice to its cyber defence centre.
Knowles said the system helped the company to identify the kinds of scams that everyday people would be most likely to fall for.
It also created a whole team of people looking out for scams across the company rather than just having a small team focused on it.
Staff are not punished for clicking on the fake scam emails, but those who identify emails as malicious are rewarded.
He would not say how many scams the company has caught but said there were a lot going on all the time.
"These campaigns are running by adversaries all the time."
Last week’s global WannaCry scam was just the latest cyber attack, and Knowles said and it served as a reminder for companies and individuals to be aware of the risks.
Knowles said another reason the company was training its staff to recognise scams was to help make people safer at home which also protected the company - due the number of people that brought devices such as phones and tablets into and out of the office each day.
The insurer is also not alone in using fake email scams on its staff.
"I know some of the banks do," said Knowles.
He said corporates were also sharing scam warnings with each other, despite their competitive nature.
"We do talk to each other. It is the good guys versus the bad."