Would you click for a free gift? Businesses phish their own workers.

The email arrived mid-morning, a few weeks before Christmas, bearing good tidings to all.

The subject line: Announcing Holiday Gifts.

The sender: Jennifer Miller, at

“A Gift for You,” Jennifer’s email said. “All WakeMed employees and contractors are eligible for a holiday gift. Please using the link below to claim your gift!”

It was among the thousands of surprise emails that land in employee in-boxes throughout the region on a clockwork timetable, offering something for free or requiring an urgent response from a bank or government agency. These time-sensitive messages are crafted and sent to workers by the companies themselves, often mimicking suspicious email trapped in spam filters, to see how many employees are caught off-guard and potentially vulnerable to data breaches.

Data security experts say that large organizations routinely spam their own employees to test their systems for human vulnerability. Several North Carolina employers described the process to The N&O and explained the rationale behind it, including Charlotte-based power company Duke Energy and UNC Health Care, based in Chapel Hill, Novant Health in Winston-Salem and Atrium Health in Charlotte.

The companies stressed their intention is not to embarrass or punish the employees, but to make sure they are properly trained in data security precautions. Workers who fall for the ploy are required to take online training or participate in some other activity to hone their skills.

Charlotte-based Atrium is currently running a phishing campaign that will take several weeks to complete, said Todd Greene, Atrium’s assistant vice-president and chief information security officer. Atrium, which employs 65,000 people, launches two or three internal phishing attacks a year as part of the hospital system’s preparedness strategy.

“We’ve actually created three separate emails that we’re sending out,” Greene said. “A certain amount of people are going to fail.”

The Triangle is home to scores of businesses with sensitive data that can be resold on the black market for identity theft or to disrupt normal business functions. The organizations include health insurers, hospital systems, electric utilities, software companies and financial companies, as well as research institutes and universities that hold millions of dollars of federal contracts with U.S. agencies.

They are targeted by phishing attacks on a nonstop basis, but most of these electronic invaders are caught in spam filters. At UNC Health Care in Chapel Hill, which employs 30,000 people statewide, about 91.5 million suspicious emails are examined by the internal security system every quarter and approximately 90 percent of that traffic is blocked, said Jeri Williams, UNC’s chief audit and compliance officer.

That still means that millions of suspicious emails get through. In addition, UNC Health Care sends out about 3,000 fake phishing attacks a month, or 36,000 a year, to keep employees on their toes, said chief information officer Tracy Parham.

“We’re purposefully trying to trick you to do something,” Parham said. “There are industry tools to help you come up with ways to trick folks.”

Opening the email on your screen is generally not hazardous, cyber-security officials say. But employees venture into a danger zone when they click on links or download attachments in a phishing email, and it’s at this point that WakeMed and others will flag that employee for extra training.

Once in a system, hostile software from an outside source can steal intellectual property, use a powerful system to launch phishing attacks, or siphon off a network’s computing power for data mining of crypto-currency transactions.

Phishing attacks are the most common techniques used to obtain credit card numbers, passwords, addresses, birth dates and other data that is sensitive or could be used to access sensitive information.

And the data breaches are vast in number. Health care organizations are required to report data breaches affecting 500 people or more. Since Jan. 1, 2018, a total of 416 breaches have been reported around the country, averaging more than one a day, including five in North Carolina.

The reported breaches included unauthorized access or disclosure at Durham-based Blue Cross and Blue Shield, affecting 631 individuals, and a similar breach at Carolina Digestive Health Associates, affecting 10,988 people. The largest breach in North Carolina was also the largest in the United States, an attack against medical billing vendor AccuDoc Solutions that compromised the personal information of some 2.6 million patients of Atrium Health, according to an online list maintained by the U.S. Department of Health and Human Services.

Atrium said the data was accessed last October but not downloaded by the cyber-attackers, so the personal information can’t be resold on the black market.

One of the better-known sources on recent data breaches is the 2018 Data Breach Investigations Report, based on data from nearly 70 agencies security firms and and issued by Verizon. The latest report cites 53,308 security incidents, including 2,216 data breaches, in 65 countries last year. More than two-thirds of the incidents went undiscovered for months, according to the report.

At WakeMed Health & Hospitals, the Christmas gift offer was sent to all 9,600 employees on Dec. 4 at 10:08 a.m. One clue that the message was fishy was the clumsy grammatical error: “Please using the link...”

Sloppy grammar is one of the weaknesses of cyber-thieves, and a clue that your email is not friendly.

Most of WakeMed’s health care workers in Raleigh, Cary and other parts of Wake County knew better than to claim their gift, according to company officials. But hundreds did click on the link, in violation of WakeMed’s warnings against opening unfamiliar and suspicious emails.

They received the following surprise, from management:

“The latest WakeMed phishing attack — which occurred in early December — caught YOU hook line and sinker,” according to a Jan. 2 email from WakeMed’s Integrity and Compliance Office.

“What does that mean?” the WakMed email continued. “It means you clicked on a link associated with a phishing attempt. This particular attempt came from a WakeMed email account and asked recipients to provide their credentials to receive a ‘free gift.’ ”

The Dec. 4 phishing email and Jan. 2 follow-up from management were provided to The N&O by a WakeMed employee who was fooled by the gift offer and did not want to be publicly identified. WakeMed confirmed both emails.

WakeMed tests employees between four and six times a year, and on any given test between 3 and 9 percent will inappropriately volunteer passwords, logons and other personal information, said Peter Marks, WakeMed’s chief information officer.

Those employees are none too happy about getting outed.

“Everyone is uniformly embarrassed, upset,” said WakeMed’s chief compliance officer, Ted Lotchin. “Not about the phishing experiment, but about the fact that they clicked and gave up their credentials.”

Employee vigilance required

Phishing emails aren’t the only cyber security risks.

Employees could also be vulnerable to corrupted USB flash drives left in public places by rogue actors. Many employers don’t allow the use of unauthorized thumb drives on company computers.

Another cyber-crime strategy is digitally infiltrating large organizations through their vendors and contractors, and then using those friendly avenues to transmit malware and ransomware, two common types of software that can wreak havoc with computer networks, to the targeted organization.

John Murawski covers health care and environmental issues and has won numerous awards from the N.C. Press Association for his news coverage as well as his book reviews. He has previously worked as a journalist in South Florida, the Philadelphia area and Washington, D.C. He attended Virginia Commonwealth University and Indiana University, and has taken classes at Veracruz University (in Mexico) and the Jagiellonian University (in Poland). He can be reached at or 919-829-8932.