Teasing state workers with long-promised contract bonuses is a good way to get them to click on a bogus email.
That’s one takeaway from a cybersecurity test a state department carried out on its employees last month that promised them a fast deposit of a $2,500 contract bonus.
All they had to, the email said, was click a link to “validate their employment” at a website that appeared to be endorsed by Golden 1 Credit Union amd state government’s largest union, Service Employees International Union Local 1000.
Sign Up and Save
Get six months of free digital access to The Sacramento Bee
Dozens of state workers clicked on the link in the 20 minutes after the Housing and Community Development Department first sent the message to its 598 employees, according to documents The Bee obtained through the California Public Records Act.
“I would say this was an effective test,” wrote an information technology employee in a staff e-mail summarizing the test two days after the phishing email was released.
It may have been effective, but it won’t be repeated.
The department erred, according to a review of its test by top state cybersecurity officials, because it did not notify any other state agency about its intent and it used inappropriate imagery to build trust with its targets.
As a result, Housing and Community Development is holding off on new cybersecurity tests while it reviews its procedures. It has apologized to Golden 1 Credit Union and met with union leaders to make amends.
“While making employees aware of phishing scams is important, this particular test was a mistake. It should never have contained references to SEIU and Golden1 Credit Union, and we regret the significant confusion it caused both internally and externally,” department spokeswoman Evan Gerberding said.
The phishing test at the Housing and Community Development Department used logos and images from two organizations that many state workers likely know and trust.
One was SEIU 1000. The email included a photo of union President Yvonne Walker and a portion of a message she sent to union members in December announcing a new contract.
The other was Golden 1 Credit Union, an 800,000-member credit union that courts business with state workers. The cybersecurity test included a message that claimed to be written by credit union President Donna Bland.
During the week of the cybersecurity test, about 95,000 state employees represented by SEIU 1000 were receiving deposits for their contract bonuses.
The Housing and Community Development Department did not consult with SEIU or Golden 1 before sending the message. Golden 1 received calls from state workers and treated their complaints as evidence of a genuine phishing attack, a credit union spokeswoman said last month.
All told, 71 employees clicked on the link and 25 submitted some kind of employment information to the bogus website.
To the team that designed the scam, those clicks exposed a weakness in the department’s cybersecurity training. They suggested certain employees would fall for a phishing message that could open their department to hackers.
The department recommended that they take refresher training on cybersecurity threats.
Eight of them were regarded as especially receptive to phishing messages. The round-up of results suggested they receive “special attention.”
Jerry Jimenez, spokesman for SEIU 1000, declined to comment for this story. A representative from Golden 1 Credit Union did not return a call for comment.
California state government departments sometimes remind employees to be skeptical of emails asking them for personal information.
State Technology Department Director Amy Tong at a September news conference said her office would encourage departments to offer more cybersecurity training. Her remarks followed a 2015 audit that warned state databases that hold Social Security numbers and tax return data are were “vulnerable to unauthorized use, disclosure or disruption.”
In August of last year, the Housing and Community Development Department was the target of a ransomware attack that hindered its operations for a workday. The state Military Department also recently encouraged Housing and Community Development to conduct more frequent exercises to “train staff on the dangers of electronic phishing,” Gerberding said.
The Bee on Monday received documents describing how Housing and Community Development planned the cybersecurity test and subsequent reports assessing its usefulness.
Gerberding released a time line showing a member of the department’s information technology staff accidentally sent a draft of the message to about 100 employees at 10:44 a.m. on May 8. Rather than recall the message and cancel the test, an information technology supervisor chose to send it to the rest of the department’s employees.
By 11 a.m., state workers began calling Golden 1 Credit Union to report a suspicious email. At 11:08 a.m., a union leader in the department sent union members a message warning them to look for a suspicious email.
At noon, an SEIU representative called to ask for details about the test. At 12:15 p.m., the department announced that the message was part of a cybersecurity test, ending the exercise.
But the trouble did not end there for the department, Golden 1 or state workers.
On Wednesday May 10, Department Director Ben Metcalf had a meeting with SEIU representatives to review the test and “make sure there were no underlying misunderstandings.”
Later that morning, the State Controller’s Office sent a message to tens of thousands of state workers warning them about a phishing scam. At the time, that office did not know it was responding to an internal exercise. That office, which handles the state’s payroll, also did not receive a notice that Housing and Community Development planned a phishing test that would involve the controller.
On May 18, the state Office of Information Security distributed new guidelines for departments that want to participate in cybersecurity tests. It instructed them to notify the Military Department’s California Cybersecurity Integration Center, the Technology Department and the Office of Information Security at least three days before launching one.
It also asked them to work with known phishing emails, so state workers become familiar with threats they might encounter.
And, it told them to avoid “inappropriate or sensitive materials,” such as union names, contract issues, political themes and commercial trademarks.