Slashdot Mirror
1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com)
An anonymous reader quotes the AP:
Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
I've got the sender and subject visible to me, if they look legit of course I'm gonna open it. I don't click links unless it's something like a new website setup or lost password reset or somesuch where I'm expecting a message. I never enter logins nor passwords to links I get in email.
In other words, opening the email isn't (err, shouldn't be) the problem. It's what you do after that that's the problem.
Then again, I don't use Outlook so opening the email isn't all that hazardous to me.
1/3 opened the email? That means that 2/3 don't read their email.
You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.
There is no technical solution for user awareness.
Sure, you can verify senders... then you only get spam from compromised hosts, or free relays/mass-mailers, or any other way that attackers are increasingly using to get around such things.
You can mangle unrecognized URLs... but then your users complain that their legitimate emails from partners and vendors aren't getting through properly (especially when they just signed the contract), and it still doesn't help when the attackers use bit.ly and other common services to hide.
Once all that has failed, you're still relying on end users to not click links... but if you sold your boss on this "simple basics" security checkbox, you suddenly realize that you never got funding for a user-education course, and that targeted phishing campaign is now wildly successful and claiming victims across your enterprise.
Sure, go ahead and include all of that technical wizardry, and it will indeed reduce your exposure, but please don't spread the myth that a technical barrier is a one-step fix for email security problems. Users are the last bastion of a defense-in-depth solution, which is also one of those "simple basic" concepts.
You do not have a moral or legal right to do absolutely anything you want.
The 1/5 entering their password into the website is the buried lead IMHO. That's absolutely ridiculous.
I read the internet for the articles.
We had courses at my work place. Things to look for include mis-spelt words, links that didn't use https and/or moved to a different domain from the sender. Which makes me ask, why couldn't an email filter pick this up.
That's also my question.
How often do corporations of any size used spoofed headers for business emails? They do that for their newsletters, advertisements, and email surveys and crap, yes, but not for invoices and person to person communications.
I wish our email client had a configuration to flag to the user "This email's sender does not match the actual origination." As well as "This email appears to have originated in Bulgaria". If we actually had a vendor in Bulgaria, the people who handled that account would already know who that was and could continue, but a clerk at the front desk would have gotten a clear warning.