More than 3,000 government staff arrived at work Thursday morning to find a curious and troubling email in their inboxes.
The message was a summons to appear in traffic court in Cayman Brac for the “hearing of your case.”
To most of the recipients, the message made no sense. Some of them had not been to the Brac for years, most had no ongoing traffic case they were aware of.
The email appeared official and many of them called the District Administration office in Cayman Brac or the courts’ office in Grand Cayman to find out what was going on.
Initially, the court staff were equally baffled, though they were later appraised of the situation.
In fact, the system had not been hacked or fallen victim to a phishing attack. The emails were part of an elaborate internal training exercise to instill vigilance in government employees in recognizing potential cyberthreats.
Ian Tibbetts, Cayman Islands director of e-government, said careful observers would have noticed a few clues that the email was a fake.
It came from a strange email address, it contained a couple of spelling errors and unusual instructions, most crucially to download and open a file of attached documents.
He said anyone who opened the file, during Thursday’s exercise, immediately received a notice alerting them that they had been part of a training drill and referred to tips on how to spot fake messages and the dangers of downloading unknown files. Those who reported the message were congratulated for detecting a phishing email and responding appropriately.
All staff were informed at the end of the day that they had been part of a training exercise.
He said it was a prepared scenario to test procedures and staff responses in a controlled setting – essentially a fire drill for a cyberattack.
Mr. Tibbetts accepted the mail shoot had caused some confusion on Thursday, not least among government employees who feared they were genuinely being summoned to court for something they had not done.
But, he said, it was necessary to create a realistic simulation of the possible threats, which had moved beyond the obvious and generic.
“When cybercriminals are targeting an organization, they tend to be very sophisticated. They study the emails of people within the organization and create realistic messages.”
He said computer systems alone could not protect against cybercrime, and therefore staff training was a key component of government’s approach. Thursday’s test was one part of an ongoing internal training program for all staff, he said.
In some circumstances, it takes only one person to open an attachment for an entire computer server to be compromised.
Police warned in April last year that several Cayman businesses have been hit by a “ransomware” virus scam.
The scam involves computer hackers loading malicious software on to a company’s IT system, encrypting important files and extorting a ransom, to be paid in untraceable Bitcoin digital currency.
Typically the scammers gain access to the system through an emailed attachment, Micho Schumann, an IT expert with KPMG in the Cayman Islands, told the Cayman Compass at the time.
“It may be localized to one PC, or, if the software is more sophisticated, it is able to propagate throughout the network. The more files they are able to encrypt, the more they are able to extort,” said Mr. Schumann.