We use cookies to improve your online experience. Full details about our use of cookies can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.

Allow Cookies
Disallow Cookies

Diary of an identity theft victim

Download:  Diary of an identity theft victim case study (PDF, 540KB)

 

The Security Company (TSC) delivered a communications campaign to encourage Colt Technology Services employees to be cautious online. This supported Colt's commitment to online security and the desire to raise awareness of advanced persistent threats.

 

This campaign won the 2012 IoIC Central Region Writing Award.

 

Background

 

Following the heavily reported increase in Advanced Persistent Threat attacks witnessed during 2011, against a number of high profile companies Colt decided to test how prepared it would be if it was similarly targeted. Colt commissioned a trusted third-party to carry out an APT attack against it over an eight week period. One of the more interesting findings of the test was that whilst employees knew not to trust unsolicited communications from third-parties, this level of distrust lowered over time following e-mail conversations. This had the potential to expose employees to targeted phising attacks.

 

Objectives

 

  • To tackle any 'false trust' amongst Colt employees
  • To reiterate the message that electronic communications cannot be guaranteed to be genuine
  • To encourage employees to think before they click
  • To address the following topics:

    • Secure passwords
    • Phishing attacks
    • Computer viruses
    • Loose talk/Disclosing information on social networks
    • Social engineering
    • ID theft

 

Delivery

 

Colt commissioned a third party to create two characters, a victim and a social engineer. The characters had no obvious differentiators (gender, culture, etc.) to show that anyone can appear trustworthy.

 

The characters inspired the development of the 'Diary of an identity theft victim'. Four diary entries detailed a typical day's events in which the author puts their personal and company information at risk online via social networks. The final instalment focussed on the consequences of the victim's insecure actions. The campaign was delivered on a weekly basis via the Security Portal site, supported by an email that linked through to the campaign.

 

The challenges

 

The original brief required a formal tone of voice to illustrate a business diary, written from a woman's point of view. Reconsidering the objective to encourage secure behaviour at home and at work and the requirement to engage a predominantly male workforce, the brief was amended and the character was determined as male.

 

It was important to retain the reader's interest and urge them to spot the victim's mistakes using their judgement. Each diary entry included a link to more information detailing the behaviour that lead to the victim having their identity stolen and offering advice on how to avoid the same situation.

 

The outcome

 

Site hits allowed us to measure the success of this campaign. During the month the campaign was delivered, unique user visits to the Security Portal increased by 236%. In addition, a maximum of 84% of recipients opened the emails used to promote the campaign.