A security test by the Canada Revenue Agency found thousands of its employees could not resist the lure of a phony e-mail phishing scam, a discovery that suggests vulnerabilities remain at the agency more than a year after it was rocked by a major online security breach.
The Globe and Mail has learned that over the first three months of this year, the agency's security and internal-affairs division sent 16,000 employees an e-mail designed to replicate the potentially dangerous messages that are common to anyone with an e-mail account.
A phishing scam usually involves an e-mail that encourages a user to click on a link, which could then expose the user's computer to malicious software.
The result of the CRA's test was that 78 per cent of employees did not click on the link contained in phishing attempts. However, that means roughly 3,500 employees did fall for the scam, even though they were informed ahead of time that the test would take place.
Last year, the CRA was forced to delay the tax-filing deadline because its network was exposed to the Heartbleed bug, which essentially allows unauthorized people to access supposedly protected Internet traffic. A computer-science student in London, Ont., is facing several charges for exploiting the vulnerability created by the bug to access sensitive information.
The CRA did not provide a sample of the phishing e-mail. The agency said it was presented as if it came from an internal source, but included clues such as contradictory information that were meant to raise doubt as to the message's true origin.
David Skillicorn, a professor at the Queen's University School of Computing, said it is hard to judge the test results without knowing the quality of the phishing exercise. Dr. Skillicorn said that while many phishing attempts are obviously scams, hackers sometimes create far more convincing e-mails that appear to be coming from trusted colleagues.
"The real test is the sophistication of the e-mail itself," he said. "Without seeing the e-mail, it's really hard to judge whether that [result] was surprising or really quite confidence-building."
Dr. Skillicorn said government departments tend to have security firewalls that would protect the system even when employees click on malicious links. He also noted it can be harder to identify phishing e-mails when users are flipping through their account on their phone.
An internal briefing memo obtained by The Globe through Access to Information shows public-sector unions objected to the test when it was raised in a July 10, 2014, meeting.
"The unions' main concern was that employees will not perform well on the simulation exercise, resulting in negative media coverage, which would have an impact on the morale of CRA employees," states the Aug. 5, 2014, briefing note to the CRA commissioner.
The memo states that the agency's Information Technology branch "has noticed a significant increase in phishing attacks through the corporate e-mail system" and that "falling victim to a phishing scam could result in unauthorized disclosure of information, loss of information and/or denial of network service."
Philippe Brideau, a spokesperson for the CRA, said in an e-mail the test will lead to further employee training.
"As a result of this learning exercise, the CRA will continue to implement improved security awareness and training, which includes e-mail phishing and cybersecurity," he said. "Please note there was never a risk to taxpayer information throughout the exercise. The CRA's systems are safe and secure."
An international survey released Wednesday by the Computing Technology Industry Association found 65 per cent of Canadian executives surveyed said the cybersecurity threat is increasing. Nearly half of the Canadian respondents – representing 125 people out of the total survey of 1,507 business and IT executives – said human error is a growing factor in security incidents, including failing to follow security procedures and failure of staff to get up to speed with new threats.