A KPMG test on the cyber security of New Zealand businesses as part of Connect Smart Week has revealed one in ten Kiwis could fall for a phishing attack.

Phishing attacks are a reality that all organisations have to deal with. Criminal organisations are readily using phishing as an attack method, with attacks occurring with increased frequency and with an increased level of sophistication. The risks are real both in a business environment and in our personal lives.

As part of Connect Smart Week, the KPMG Cyber team undertook a phishing exercise to gain insights into how security aware New Zealanders are. With Connect Smart Week having a theme of “increasing the cyber security awareness and capability of individuals in the workplace”, a phishing exercise to provide a snapshot of how security aware New Zealanders are seemed ideal. 

Thirty five organisations with a total of 8,333 staff agreed to participate in the exercise. The staff were sent an email indicating the organisations had signed up to a password quality checking website, and asking them to go to the website and check the quality of their passwords.

The results were unfortunately not surprising. Of the 8,333 people phishing emails were sent to, 1009 people (12.1%) clicked on the web link in the email, and 702 (8.4%) entered their password into the website. 

The first person entered their password into the website in less than a minute after the phishing emails were sent. “Had the phishing emails been real, that would have meant cyber-criminals would have had the passwords for a significant number of people in every organisation” says Philip Whitmore, KPMG Partner and head of KPMG Cyber. “With many New Zealand organisations still relying upon just username and password for remote access; that would have also meant it was game over for many of the organisations involved” says Whitmore.

The percentage of staff within an organisation that provided their passwords ranged from 1% to 25%.  The size of an organisation did not seem to affect the results, with staff from both small and large organisations falling for the phishing emails.