GitLab runs phishing test against employees – and 20% handed over credentials

There’s always a lot of talk in cybersecurity about the importance of training employees to be aware of phishing attempts. Training does work but it’s not a panacea, the reality being is that there will always be employees who get tricked even with training.

This article first appeared on Silicon Angle.

Although there are various industry estimates, code repository management firm GitLab Inc. decided to phish their own employees to see what would happen. The result was not good: One in five employees fell for the fake emails.

The exercise announced Wednesday involved GitLab emulate a phishing campaign against GitLab employees with the intent of capturing credentials. Defenses such as multifactor authentication were not considered part of the test, with the fake phishing attack designed to mimic a basic attack concentrating on primary authentication credentials via a fake login page.

The GitLab team behind the exercise purchased the domain name, then used G Suite to facilitate the delivery of the phishing email. The domain name and G Suite services were set up to look legitimate, complete with SSL certificates to make the emails look less suspicious to automated phishing site detection and human inspection.

Fifty GitLab employees were targeted with an email that asked them to click on a link to accept an upgrade. The link took them to the fake website where they were asked to enter their login details.

On the positive side, only 17 of the 50 targeted employees clicked on the provided link. However, 10 of those 17 then attempted to log in on the fake site. Those who logged in on the fake site were then redirected to the phishing test section of the GitLab Handbook.

Six of the 50 employees who received the fake phishing email reported the email as suspicious to GitLab’s security operations team.

The 20% figure is roughly on par with broader industry expectations. The Verizon 2030 Data Breach Investigations Report released earlier this week found that phishing was involved in nearly one-quarter of breaches.

“Phishing is a great example of something that cannot be fully prevented,” Chris Rothe, co-founder and chief product officer at threat detection firm Red Canary Inc., told SiliconANGLE . “Because email is a critical business function, it has to be optimized for its business function and not security in most cases. There are many strategies IT teams can use to reduce the number of successful phishing attackers — email blocking, stripping and analyzing attachments, awareness training — but there is no 100% solution.”