Government agency finds phishing vulnerability between headphones

A security audit at the American Federal Housing Finance Agency found that a third of their employees failed to follow proper protocols when subjected to a fake phishing attack. That’s a major “short circuit between the headphones.” That’s bad as these employees had a specific instructions on what to do when faced with a suspicious email.

Pen tests for phish in the office

The batch of pseudo-phishing emails were sent as part of a scheduled penetration test at the government agency. They had an outside firm distribute a specially-crafted phishing email to 50 employees. The employees were chosen at random from all departments – except IT – where people should presumably know better how to handle a phishing attempt.

However, out of the 50 employees, 34% fell for the phishing message and only 6% reported it to their supervisors. The highly redaced report blacked out a picture of the phishing email and what the 34% specifically did with the email.

This is a critical agency – and one of their 750 employees clicking on ransomware could cause some serious economic waves. The FHFA looks over Fannie Mae and Freddie Mac (where a number of Americans get their home mortgages) and the Federal Home Loan Bank System.

The results were slightly worse than a recent Avira/Statista survey that found 31% of regular employees would open a phishing email – but only 9% of the IT staff would.

Phishing protection starts with you

The pen test results show that a defense against phishing emails has two sides: a technical side – with ways to filter out incoming malware and phishing attempts – and also a human side – with a near-constant need to educate people what to do or not do with suspicious emails.

The penetration test also found other issues at the agency such as out-of-date encryption protocols. However, correcting “short circuits between the headphones” made up two of the final report’s three main points – employee education and further pen testing. Remember, if the email looks odd — use your head and have a good and up-to-date antivirus at hand.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.