Report: USPS Workers Vulnerable to Phishing ScamsTest Shows Many Workers Still Click on Bad Links
Less than a year after the United States Postal Service revealed that hackers breached agency computers, many Postal Service employees continue to click on phishing messages that contain false links, according to an inspector general report.
See Also: DevOps - Security's Big Opportunity
Hackers often use legitimate-looking phishing emails to trick recipients into clicking onto links that download malware or ask them to provide their online credentials, paving the way to a breach.
In conducting its investigation, the U.S. Postal Service inspector general sent emails containing false links to 3,125 Postal Service employees, with 93 percent of them failing to report the test phishing messages to the USPS's Computer Incident Response Team as required by policy. One-quarter of the employees receiving the test emails clicked on the link, and only 10 percent of those reported the messages. Citing fiscal year 2014 training records, the IG says only 4 percent in its test sample had completed information security awareness training.
Lack of Awareness Training
The IG blames the poor showing in its phishing test on the lack of IT security awareness training provided by the USPS.
Until the past fiscal year, Postal Service policy did not require all employees with network access to complete the annual information security awareness training. Awareness training was available to all employees with network access, but only employees working in the office of the chief information officer and new hires were required by policy to complete the annual training.
"When management does not require all employees with network access to take information security awareness training that includes how to respond to security threats, users are less likely to appropriately respond to threats," says Michael Thompson, acting deputy assistant inspector general for technology, investment and cost, says in the audit report.
The Postal Service took exception with the IG's conclusions, noting that in fiscal year 2015 - which ended on Sept. 30 - it launched a program to provide awareness training, known as CyberSafe at USPS, for all of its employees and contractors with network access.
Results Not Unusual?
Greg Crabb, CISO at USPS, says in a written response to the audit that the 25 percent click rate was in line with industry benchmarks for similar companies that just launched an awareness campaign.
Crabb also disputes the IG's portrayal of the reporting as a 93 percent failure. "Even with 7 percent of employees reporting, USPS received over 100 reports of the phishing trap with the first hour," he says. "These reports would have been sufficient for us to execute our phishing defenses to protect the network."
Requiring thousands of employees to notify security managers that they received phishing emails could overwhelm a computer response team. "If thousands of people are reporting to you every day about every phish they saw, even if you automate a good bit of that, it's a significant effort to try to keep track of that," says Eric Johnson, a Vanderbilt University business professor who studies the impact of spear phishing on businesses.
Even without reporting each phishing message received, alerting employees to the phishing problem through awareness training pays off, the IG maintains, citing a 2014 study from the IT research firm Aberdeen Group that contends information security awareness training could reduce security-related risks by up to 70 percent.
Begs to Be Clicked
But Johnson says his research shows that the such awareness training is generally ineffective (see Why Training Doesn't Mitigate Phishing). "There's something about a link that just begs to be clicked," Johnson says. "I think we're all in a hurry, and if it's remotely intriguing, people just click."
But organizations offering awareness training could be sending mixed messages to employees, Johnson says. That's because employers are discouraged to click on links from email received from outside the enterprise, yet they routinely receive messages internally from other departments with links. "You can create some general awareness, but if people are clicking as part of their regular job, having them become detectives and try to figure out the difference of a deceptive one and a real one, that's hard," he says.
Phishing Test Results by Job Function
Johnson says a look at the phishing test results by job function suggests that older and less tech-experienced users were more likely to click on links in test phishing emails than did younger and IT-savvy users. He surmises that older workers are more likely represented in job functions such as administration and management than younger, tech-aware staff, who work in IT or as contractors.