Employees at IT services provider Kyndryl regularly hear from their CEO Martin Schroeter. Unfortunately, some of those messages are actually from scammers.
In 2024, Kyndryl has already experienced four separate waves of text message-based phishing attacks that seek to trick employees into making fraudulent financial transactions. Some of the messages feature a photo of Schroeter in the contact information, in an attempt to make the text appear more authentic. Fraudsters have also taken audio and video from Schroeter’s media interviews and quarterly earnings calls to create deepfake videos and audio messages, to send to employees.
“The tactics have changed a bit over time, but it’s still very sophisticated,” says Cory Musselman, Kyndryl’s chief information security officer.
The text-based fraud campaigns that feature Kyndryl’s CEO, known internally as “fake Martin,” first started in 2021 when the company spun out from IBM. But there’s been an acceleration in the pace of attacks and the bad actors have gotten savvier by targeting employees who are more likely to be within Schroeter’s direct orbit.
As is typical with such cyber attacks, the fraudsters often aim to create a sense of urgency when reaching out to Kyndryl employees.
“They are saying, ‘This is highly confidential. Don’t tell anyone about it, but respond immediately,’” says Musselman.
To combat the attempted fraud, Kyndryl has created an employee awareness program that’s informative, but also a little fun. “You can get your cyber education without having to sit through an hour-long, computer-based training course,” says Michael Bradshaw, who served as chief information officer for three years through July, when he became SVP and global leader of applications, data, and artificial intelligence.
There’s still the traditional annual, one-hour training with interactive exercises. But Kyndryl also has a newer program called “cyber scenic route” that lets employees build their own learning curriculum, including watching educational videos that frequently feature C-suite leaders and cybersecurity games inspired by the television game show Family Feud.
Kyndryl also performs its own internal phishing campaigns to keep employees on their toes. The company sends emails to employees, asking them to respond to a supplier invoice or current events, like a link offering swag for the Summer Olympics. The intent is to create realistic, fake messages, with some sense of urgency, to see if employees can spot an incorrect link.
And then there are the “Cyber J’s,” two Kyndryl employees who work in the cybersecurity space, whose first names both begin with the letter J. They are mini-celebrities within the company and perform themed skits each month, taking serious cyber-related topics and simplifying them through Saturday Night Live-inspired performances (though “not nearly that good,” Musselman concedes).
Musselman has himself been featured in the content. The cyber team created a deepfake video of him singing to show employees how easy it is for fraudsters to make content that mimics real people. “Do I want to be out in the ether of Kyndryl with a deep fake of me singing songs?” asks Musselman. “No, I don’t. But it kept it fun.”
While helping the workforce understand how to identify a fraud threat is critical in the training, “equally important is step two, which is to tell us,” says Musselman.
Employees can send Microsoft Team messages, submit a form, or email a group within the security team to track any reporting from employees. When the fraud attempts reach a certain threshold of either volume or sophistication, the cyber team works with the communications department to determine if a company-wide warning is warranted.
Kyndryl says it hasn’t experienced a financial breach from any of the “fake Martin” attacks. And the company claims employees are reporting phishing scams at four times the rate of the technology industry’s average, all of which is based on a calculation by cybersecurity firm Proofpoint.
Kyndryl has also set up internal guardrails to make it more difficult for fraudsters to exploit digital weaknesses. If a request comes in asking Kyndryl to update a vendor’s banking information, positive confirmation must be received by a designated contact at that vendor to ensure the request is valid. Employees who register a new supplier shouldn’t also be authorized to process payments.
Kyndryl says it and other companies should also take a fresh look at who can make a change to banking account information from a vendor and what barriers are in place to make fraud harder.
“It’s not about slowing down the process,” says Bradshaw. “It’s just making sure that you’ve got the right checks and balances.”
Musselman adds that even with the best processes and tools, at the end of the day, “most breaches come down to human error. We want everybody to be engaged.”
John Kell
Send thoughts or suggestions to CIO Intelligence here.
NEWS PACKETS
IT unemployment reaches 6%. Joblessness for information-technology workers is at its worst since the Dotcom bubble burst in the early 2000s, Victor Janulaitis, CEO of consulting firm Janco Associates, told the Wall Street Journal. Janco reports that there were 148,000 unemployed IT workers in August, as the boom for AI continues to drastically upend the tech industry. And experts say that recently laid-off IT workers are facing a tough reality check: There’s a misalignment between the skills they have and how much they expect to be paid. Pandemic-era paychecks and IT jobs no longer exist, so job seekers may need to recalibrate their compensation expectations.
Apple unveils new devices with AI features. Apple’s product event on Monday highlighted the latest version of the iPhones, Apple Watches, and AirPods, pretty standard fare for the tech giant. But much of the focus was on some of the new AI features coming to the iPhone, including AI-generated email summaries and more conversational search functions with Siri. The AI features won’t be available until later this fall, at the soonest, but is the latest example of generative AI becoming much more widely accessible to consumers even as some employers haven’t yet widely adopted the technology within their own organizations. They may have to play catch up soon: If the technology is readily available at home, employees will want to tap into it more frequently at work too.
Avis discloses cyberattack impacting customer data. The car rental company publicly disclosed that it discovered intruders in one of the company’s business applications in August, leading Avis to notify hundreds of thousands of customers that their personal information and driver’s license numbers were stolen in the cyberattack. Much about the attack is still unknown: Avis hasn’t fully shared how many individuals were affected and TechCrunch reports that it isn’t yet clear why Avis stored sensitive customer information in a way that allowed it to be compromised.
Is VR finally having a moment? Companies including United Parcel Service and Walmart are slowly starting to adopt virtual reality headsets, a sign that the technology is seeing a measured pace of adoption after a big hype cycle—and later skepticism—led companies to test, pilot, but eventually pull back on their VR investments. The Journal reports that VR technology is becoming a common tool for workforce training, ranging from hardware maintenance to even cultivating workplace empathy. A minimum six-figure investment is often needed to get started, but the hardware and software has improved for a better user experience, and some companies are able to outsource training content from third parties.
ADOPTION CURVE
The mainframe modernization skills gap. While companies are increasingly pivoting to the cloud to store and access data, the decades-old mainframe model is still a core pillar of many IT portfolios, especially for the banking, insurance, and airline industries that still lean on the mainframe for some key data processing.
Encouragingly, a new report from Kyndryl found that businesses say they are saving $11.9 billion annually on their mainframe modernization initiatives, according to a survey of 500 IT decision-makers. But the study also showed that there's a skills deficit: 18% of business leaders who are integrating the mainframe with other platforms report insufficient expertise as a main challenge. In response, 50% of businesses reporting a skills shortage are aiming to address the issue by hiring or upskilling employees.
Courtesy of Kyndryl
JOBS RADAR
Hiring:
- Microsoft is seeking a CTO for the tech giant’s education business, based in New York City. Posted salary range: $154.5K-$299.4K/year.
- QuantumScape is seeking a CIO, based in San Jose, Calif. Posted salary range: $250K-$330K/year.
- Morgan Stanley is seeking a VP of wealth management technology, based in Jersey City, N.J. Posted salary range: $169.3K-$200K/year.
Hired:
- Papa John’s announced the appointment of Kevin Vasconi as chief digital and technology officer, joining the restaurant chain after most recently serving as CIO for Wendy’s. In his new role, he will oversee customer-facing restaurant and corporate technology, as well as engineering, data analytics, enterprise tech, and information security.
- Yahoo appointed Valeri Liborski as CTO to lead the company’s global engineering team and focus on innovation, including investments in AI. Liborski brings over two decades of experience, including leadership roles at Microsoft, Amazon, and most recently HelloFresh, where he served as CTO.
- Freshworks named Murali Swaminathan as CTO, where he will steer the company’s engineering and architecture teams and will report to CEO and president Dennis Woodside. Previously, Swaminathan served as VP of engineering at ServiceNow.
- Metrolink has appointed Kevin Gray as CTO, where he will drive digital modernization and manage the agency’s day-to-day activities including fare collections, cybersecurity, and network operations. Gray most recently spent six years as CIO for the city of Burbank in California.
- ID.me appointed Scott Meyer as CTO, joining the identity verification company after most recently working at LinkedIn as distinguished software engineer. He succeeds current CTO and cofounder Tanel Suurhans, who has served in that role since 2014 and will become distinguished engineer.
- The Imagine Group appointed Mike Lang as CIO, effective immediately, and reporting to CEO Don McKenzie. He will oversee the commercial printing company’s tech strategy, including emerging technology such as AI and cybersecurity. Most recently, Lang was CIO at CommonBond Communities.
- Rotana named Dominic Carr as CIO, where he will oversee the information system and technology department. Carr initially joined Rotana in 1997 and previously served as corporate VP of technology and customer experience.