The results were unexpected: About 90 employees — or 16 percent — clicked on the link.
"All they got was a blue screen on their monitor," Pakutka said. "Then I got a lot of phone calls."
She was surprised at the number who clicked the link.
"A lot of people who don't even use our DMS clicked on it," Pakutka said. "I was hoping for better results. But it's better to find out and know for sure."
Phishing expedition
Hoffman Auto Group in East Hartford, Conn., tested employees' awareness of online security by sending an email that invited workers to click on a link, a tactic sometimes used by cybercriminals.
The phishing simulation gave Hoffman, owned by brothers Jeffrey and Bradley Hoffman, the chance to educate those employees on what to do — and not to do. The exercise was recommended by Kelser Corp., a cybersecurity and information technology consultant hired by the dealership group. Though a security breach had never occurred at Hoffman, which has annual sales of 5,500 new vehicles and 3,000 used vehicles, Pakutka wanted to assess what employees knew.
"We've been in business since 1921, and everything is stored on our networks — sensitive data that needs to be protected," she said. " 'Driven by trust' is our slogan, so it's very important for us to be true to that and keep everyone's information safe, for both our customers and our employees."
Kelser is one of several companies that can help dealership groups stage such tests. More dealers are putting phishing simulations in place as concerns about Internet fraud mount. Some even distribute phishing emails monthly that use a different purported sender and link to click on each time.
If a business hasn't done a test before, as many as 80 percent of employees will click on a bad link and up to 50 percent of those will give up sensitive information, said Matt Kozloski, vice president of professional services at Kelser.
"It's mind-boggling," Kozloski said. "But then again, you have to keep in mind that it's these [cyber] criminals' job to trick employees into doing things they shouldn't do. We actually have someone on our staff that can craft emails that are virtually indistinguishable from a company's real emails."
It's a sobering experience for employees. At Hoffman, they were more embarrassed than mad, Pakutka said.