- January 4, 2021
IT departments sometimes try to trick their organizations' non-tech staff members: To improve awareness of fishing attempts, the department may send a mock phishing email to organization employees to see who's unwary enough to click an embedded link.
"There are a lot better ways to run a phishing test than using Covid vaccination requirements as an excuse."
— ED DANKO, city councilman
The city of Palm Coast's IT department did that this week, sending out an email telling recipients that the county had new requirements for tracking COVID vaccinations, and that recipients must click a link to complete a form.
City Councilman Ed Danko thought the test inappropriate.
"Under the circumstances and present environment, in my opinion this is an unacceptable test on the part of our IT department," Danko wrote in an email to Interim City Manager Denise Bevan. "Using the county as an excuse makes this even worse. There are a lot better ways to run a phishing test than using Covid vaccination requirements as an excuse. This ill-advised exercise only adds to the lack of trust of government by the public."
The email was sent from a city HR department email address to recipients with a city government email account.
"Phishing emails often create a sense of urgency to try and get recipients to take the desired action, and our simulation is in an attempt to recreate this experience."
— DOUG AKINS, city of Palm Coast IT director
It cited "new and strict requirements from the county with regards to tracking Covid vaccinations" and stated, "All employees are required to complete the Covid vaccinations form and return it to HR as soon as possible," with instructions to complete the form by the end of the day. A link followed.
Danko had asked city staff if the email was spam, and, after being told that it was, suggested that the IT Department inform other staff members know so that they wouldn't click the link.
IT Director Doug Akins replied that IT would typically do so, but then explained that the email had actually been initiated by IT. People who clicked the link were taken to a page with text stating that the email was a test and explaining how to identify phishing emails.
The email was sent through a third-party software service and was designed to teach recipients about cyber security and help protect the city's infrastructure, Akins said in a statement emailed to the Palm Coast Observer.
"The email is meant to be enticing and attractive in order to prompt the end-user to make a decision on whether or not to click on the link," he said. "... The goal is to help us understand where we may need to do a better job at training employees on how to recognize when an email may be a phishing or virus attempt."
The third-party software company, called KnowBe4, offers a library of phishing test email topics for clients to choose from, city Director of Public Information & Engagement Brittany Kershaw said.
The test email didn't send properly — landing in about 200 inboxes rather than all city emails accounts' inboxes — so the city canceled the test and therefore did not receive data on what percentage of recipients had clicked the link, Kershaw said.