A security audit at the American Federal Housing Finance Agency found that a third of their employees failed to follow proper protocols when subjected to a fake phishing attack. That’s a major “short circuit between the headphones.” That’s bad as these employees had a specific instructions on what to do when faced with a suspicious email.
Pen tests for phish in the office
The batch of pseudo-phishing emails were sent as part of a scheduled penetration test at the government agency. They had an outside firm distribute a specially-crafted phishing email to 50 employees. The employees were chosen at random from all departments – except IT – where people should presumably know better how to handle a phishing attempt.
However, out of the 50 employees, 34% fell for the phishing message and only 6% reported it to their supervisors. The highly redaced report blacked out a picture of the phishing email and what the 34% specifically did with the email.
This is a critical agency – and one of their 750 employees clicking on ransomware could cause some serious economic waves. The FHFA looks over Fannie Mae and Freddie Mac (where a number of Americans get their home mortgages) and the Federal Home Loan Bank System.
The results were slightly worse than a recent Avira/Statista survey that found 31% of regular employees would open a phishing email – but only 9% of the IT staff would.
Phishing protection starts with you
The pen test results show that a defense against phishing emails has two sides: a technical side – with ways to filter out incoming malware and phishing attempts – and also a human side – with a near-constant need to educate people what to do or not do with suspicious emails.
The penetration test also found other issues at the agency such as out-of-date encryption protocols. However, correcting “short circuits between the headphones” made up two of the final report’s three main points – employee education and further pen testing. Remember, if the email looks odd — use your head and have a good and up-to-date antivirus at hand.
