Out-of-control Army phishing test results in new guidelines
On the bright side, recipients didn't click on a fake link or submit their personal information.
Army commanders who want to run phishing simulations on their staffs will now have to get approval first, after an email phishing test went awry last month, prompting a small group of recipients to forward the email to thousands of government coworkers.
The commander originally intended to test how easily his staff would fall for phishing scams, sending a fake email to fewer than 100 recipients warning that their 401k Thrift Savings Plan (TSP) retirement accounts had been compromised and asked them to reset their passwords.
Many of the original recipients then decided to warn coworkers by sharing the email. Eventually, thousands of staff across multiple government agencies such as DOD, FBI, CBP, and the Labor department received the emails.
“This is people’s nest eggs, their hard-earned savings,” an anonymous official told the Washington Post, which first reported the incident. “When you started hearing TSP of all things, the rumor mill ran rampant.”
The Thrift Savings Plan agency, which manages the actual 401k accounts for federal workers, was inundated with worried phone calls, and is furious that their official brand was used in the email.
“While I can see how that particular test served the interests of the Department of Defense,” executive director Greg Long said, “that’s not my concern. Anything that causes our participants to question whether their account is safe and secure damages our interest.”
Three weeks later, the Army was able to trace the email back to the unidentified commander, who explained that it was a phishing test that had spun out of control. Officials have decided not to discipline the commander because there are no official rules or guidelines in place that dictate how tests such as these should be run. But future phishing tests will have to be approved by the Chief Information Office.
“This exercise committed every cardinal sin of simulated phishing by lacking defined goals, failing to consider the ramifications the email could have, failing to communicate to all potentially involved parties, and perhaps abusing trademarks/trade dress or copyrighted material,” said Aaron Higbee, CTO and founder of phishing test outfit PhishMe, as reported by TechWorld.
However, the test did prove one thing: despite the embarrassment caused by the unsanctioned test, the federal government can say that no one clicked on the fake website, and that no personal or account information was compromised.
Even official phishing drills don’t always go so well. In one extreme case reported by GCN, up to 60 percent of employees will sometimes still click on the email, and up to 30 percent will actually insert their information -- despite advanced warning of the time, content, and purpose of the test emails.
Other methods have also demonstrated security weaknesses. A penetration test conducted by the Homeland Security Department in 2011 deliberately placed USB flash drives and data disks in federal agency and contractor parking lots – 60 percent of those devices were picked up by employees and inserted into agency or company computers. An official logo on the device increased the insertion rate to 90 percent.
Human behavior is almost always the weakest part of any security architecture.
“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, CEO of network security firm Idappcom.