On November 22 last year, Malmö City sent out the fake email via an auditing firm. The test was designed as a so-called phishing attack, where the hackers' goal is to gain access to login information, and the employees were prompted to click on a link in the email.
The recipients usually have 72 hours to respond, but the simulated IT attack had to be stopped already after 27 hours. By then, a total of 32 percent of the employees – over 1,121 people – had clicked on the link in the email, according to figures obtained by Sydsvenskan.
This happened despite the city's IT support, which was not aware that it was a test, having issued a warning on the intranet.
The goal in similar tests is for fewer than five percent of the employees to fall into the trap, and the average for Swedish municipalities is around 15 percent, according to the newspaper.
It's remarkable. Even ten percent is remarkable. All organizations and companies should be below three percent, says Jan Olsson, criminal commissioner at the police's national IT crime center, to Sydsvenskan.