Employees at IT services provider Kyndryl regularly hear from their CEO Martin Schroeter. Unfortunately, some of those messages are actually from scammers.
In 2024, Kyndryl has already experienced four separate waves of text message-based phishing attacks that seek to trick employees into making fraudulent financial transactions. Some of the messages feature a photo of Schroeter in the contact information, in an attempt to make the text appear more authentic. Fraudsters have also taken audio and video from Schroeter’s media interviews and quarterly earnings calls to create deepfake videos and audio messages, to send to employees.
“The tactics have changed a bit over time, but it’s still very sophisticated,” says Cory Musselman, Kyndryl’s chief information security officer.
The text-based fraud campaigns that feature Kyndryl’s CEO, known internally as “fake Martin,” first started in 2021 when the company spun out from IBM. But there’s been an acceleration in the pace of attacks and the bad actors have gotten savvier by targeting employees who are more likely to be within Schroeter’s direct orbit.
As is typical with such cyber attacks, the fraudsters often aim to create a sense of urgency when reaching out to Kyndryl employees.
“They are saying, ‘This is highly confidential. Don’t tell anyone about it, but respond immediately,’” says Musselman.
To combat the attempted fraud, Kyndryl has created an employee awareness program that’s informative, but also a little fun. “You can get your cyber education without having to sit through an hour-long, computer-based training course,” says Michael Bradshaw, who served as chief information officer for three years through July, when he became SVP and global leader of applications, data, and artificial intelligence.
There’s still the traditional annual, one-hour training with interactive exercises. But Kyndryl also has a newer program called “cyber scenic route” that lets employees build their own learning curriculum, including watching educational videos that frequently feature C-suite leaders and cybersecurity games inspired by the television game show Family Feud.
Kyndryl also performs its own internal phishing campaigns to keep employees on their toes. The company sends emails to employees, asking them to respond to a supplier invoice or current events, like a link offering swag for the Summer Olympics. The intent is to create realistic, fake messages, with some sense of urgency, to see if employees can spot an incorrect link.
And then there are the “Cyber J's,” two Kyndryl employees who work in the cybersecurity space, whose first names both begin with the letter J. They are mini-celebrities within the company and perform themed skits each month, taking serious cyber-related topics and simplifying them through Saturday Night Live-inspired performances (though “not nearly that good,” Musselman concedes).
Musselman has himself been featured in the content. The cyber team created a deepfake video of him singing to show employees how easy it is for fraudsters to make content that mimics real people. "Do I want to be out in the ether of Kyndryl with a deep fake of me singing songs?" asks Musselman. "No, I don't. But it kept it fun."
While helping the workforce understand how to identify a fraud threat is critical in the training, “equally important is step two, which is to tell us,” says Musselman.
Employees can send Microsoft Team messages, submit a form, or email a group within the security team to track any reporting from employees. When the fraud attempts reach a certain threshold of either volume or sophistication, the cyber team works with the communications department to determine if a company-wide warning is warranted.
Kyndryl says it hasn’t experienced a financial breach from any of the “fake Martin” attacks. And the company claims employees are reporting phishing scams at four times the rate of the technology industry's average, all of which is based on a calculation by cybersecurity firm Proofpoint.
Kyndryl has also set up internal guardrails to make it more difficult for fraudsters to exploit digital weaknesses. If a request comes in asking Kyndryl to update a vendor’s banking information, positive confirmation must be received by a designated contact at that vendor to ensure the request is valid. Employees who register a new supplier shouldn’t also be authorized to process payments.
Kyndryl says it and other companies should also take a fresh look at who can make a change to banking account information from a vendor and what barriers are in place to make fraud harder.
“It's not about slowing down the process," says Bradshaw. "It's just making sure that you've got the right checks and balances."
Musselman adds that even with the best processes and tools, at the end of the day, “most breaches come down to human error. We want everybody to be engaged.”
John Kell
Send thoughts or suggestions to CIO Intelligence here.