Congrats! You’re getting a raise. That’s the email Atlantic Health System, which runs five hospitals in New Jersey, sent out to its workers recently.
They were told that to get their next paycheck, all they had to do was click a link, then enter their employee ID number, date of birth, and home ZIP code.
Roughly one quarter of the 5,000 employees opened it, and two thirds of them went on to provide the information.
Joke’s on you, suckers: It turned out to be a computer security test run by Atlantic on its own employees, to see how many got duped.
Now these working stiffs can thank their bosses for a free educational exercise in how easy it is to become the victim of a phishing attack!
Hope there’s no hard feelings. The goal of any good phishing test, after all, is to elicit an emotional response strong enough to override a worker’s caution, a security expert with the Austin-based firm that ran this test for Atlantic Health says.
Kevin Lenahan, Atlantic Health’s chief financial and administrative officer, explained in a follow-up email to all employees that since cybercriminals are getting more slick, Atlantic also had to.
“We took measures to ensure that the fabricated phishing emails looked authentic,” he said.
Let’s send another email to make sure he and other Atlantic Health executives are using best practices, too:
“The U.S. Attorney’s Office for the District of New Jersey, the Department of Justice’s Civil Division and the Office of Inspector General of the Department of Health and Human Services are re-opening an investigation into members of your hospital system for over-billing Medicare. To view the allegations, click on this link.”