1 in 3 Michigan Workers Tested Opened A Password-Phishing Email

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

Sounds about right

We have similar results during my companies initial phishing test so I suspect that this result is not uncommon. Sending out training and multiple rounds of phishing test emails (which then require more training if you click) is the ONLY way to bring this number down. The users need to be made as paranoid as possible before clicking ANY links. After a year and a 1/2 we still have a few repeat offenders who still click on the links or enter username/passwords so Multi factor authentication was implemented, but its far far less then we previously had. Posting as AC for obvious reasons.

Re: Sounds about right

We get those at work too. I use them as a convenient excuse to not participate in charity fund raisers that the social committee promotes by email. ("Oh I thought this was phishing")

Re:Sounds about right

[arth1]

Sending out training and multiple rounds of phishing test emails (which then require more training if you click) is the ONLY way to bring this number down.

No, firing and hiring people with a healthier level of suspicion should work too.
Testing gullibility should be part of applicant screening. If the applicant has given an e-mail address, that's one way of testing. During job interviews is another.
Bonuses for those who never fall for phishing could also be a good idea, helping retain those who Get It.

That said, dinging people for "opening" an e-mail is probably not correct. Looking at the e-mail context as plain text is harmless. There's a huge difference between someone using a default web browser as a mail client and someone using a restricted viewer/previewer that neither runs scripts, fetches anything, nor expands embedded content.

Re:Sounds about right

[arth1]

These are state employees, so firing them for incompetence is not an option.

Not hiring gullible people might, though.
People leaving might be slow, but certain. And if bonuses to those who don't fall for such things might help speed attrition.

Re: Sounds about right

[mikael]

Did the same to the debt collection department of my credit card bank who called me up; Indian accent - check, city with high social deprivation - check, telephone number with no SMART id (don't know what SMART is, but if the number doesn't have it, it must be a phishing attempt - check). Just make up some names and numbers and drop the call when they asked for my debit card number. Wouldn't they know that if they were from the bank? Tell them the cheques in the post.

Opening the email is bad?

[Snotnose]

I've got the sender and subject visible to me, if they look legit of course I'm gonna open it. I don't click links unless it's something like a new website setup or lost password reset or somesuch where I'm expecting a message. I never enter logins nor passwords to links I get in email.

In other words, opening the email isn't (err, shouldn't be) the problem. It's what you do after that that's the problem.

Then again, I don't use Outlook so opening the email isn't all that hazardous to me.

Re:Opening the email is bad?

[novakyu]

From TFS: "almost one-fifth entered their user ID and password."

The headline probably should have led with that.

Bad metrics

[lgftsa]

1/3 opened the email? That means that 2/3 don't read their email.

You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.

Re:Bad metrics

2/3 of slashdot users don't read the article summary.

Re:Bad metrics

[arth1]

I hope they mean that 1/3 opened it in a client that fetched external content or ran a script that connected remotely.

Re:Bad metrics

[sheramil]

You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.

You'd think so. I got an email from someone claiming to work for the Taxation Office. It looked suspicious so I ignored it. Then I got a phone call from someone with an Indian accent, following up on the email. I hung up on them and checked the number; a couple of websites claimed the number belonged to a group of spammers, and some posts said it was a legitimate number from the Taxation Office - as you might expect. I searched the ATO website and couldn't find the number... I spent a couple of days chasing it up; it turned out it was from the Taxation Office, and they wanted to do a phone audit. When I mentioned the problems I had determining the legitimacy of their inquiry, they didn't seem to care.

Re:Bad metrics

[sheramil]

It was the Australian Tax Office, and my point was, it sure as hell looked like a phishing attempt, but it wasn't.

Re:Bad metrics

[Bert64]

Most email clients don't make it especially simple to show where links are actually pointing, you used to get a statusbar which showed the actual target (in browsers too) but thats uncommon now too. And most users wouldn't know what this meant anyway.

Most mail clients only show you the From: header field, while most mail servers only perform filtering on the envelope from, so its quite easy for someone malicious to bypass filtering and still make it look like the mail came from someone you know. It's not hard to work out email addresses of employees at a company, and work out the job roles of people...If someone receives an email purporting to be from someone senior in the company they're going to open it and probably follow any links within.
Even more so if the company routinely sends out emails with links, users will be used to opening links and potentially entering data into the resulting sites. Many companies get all kinds of employee surveys sent around for instance.

A little research into the target organisation can yield a very high success rate with phishing emails. Even a blatantly obvious scam will usually net some results.

Re:Bad metrics

[thegarbz]

they didn't seem to care.

And yet they corrected that problem anyway. You don't get emails from the Taxation Office anymore. Or rather they moved it. The only correspondence you should get now are via messages posted to you online through the my.gov portal.

Re:Bad metrics

[gtall]

There are two additional problems. Most users wouldn't know how to read the entire email header even were it visible. And checking up on all the dodgy emails? C'mon, who has time to do that?

Re:Bad metrics

[arth1]

And yet they corrected that problem anyway. You don't get emails from the Taxation Office anymore. Or rather they moved it. The only correspondence you should get now are via messages posted to you online through the my.gov portal.

Wot, an arm of the Australian government has hacked my.gov to use it for communicating with their citizens?

Re:Bad metrics

[thegarbz]

Hacked? Wtf are you talking about? My.gov is the official communications portal for government services including tax.

Re:Bad metrics

[arth1]

My.gov is the official communications portal for government services including tax.

I repeat: The GP is in Australia.
 

Re:Bad metrics

[thegarbz]

I repeat: The GP is in Australia.

... and you're repeating yourself why? : http://my.gov.au/

Re:Bad metrics

[arth1]

... and you're repeating yourself why?

Because you do?

my.gov.au != my.gov, and my.gov is what you said. Twice.

Re:Bad metrics

[thegarbz]

I invite you to click on the link and see what they call themselves.

I also invite you to go to www.my.gov and realise why you won't get an email from that site either.

Do away with links in emails already!

[EzInKy]

Seriously, these phishing scams have been going on for far too long now and cost billions. If there is information that can not be disseminated people should be directed to go to a well vetted website.

Re: Do away with links in emails already!

What is your solution for replies. There will always be risk with 2 way communication

Re:Do away with links in emails already!

[HiThere]

When email was text there wasn't this much of a problem. The merger between email and browsers with javascript enabled, however, has been horrendous. And incomprehensible links just makes things worse. Link shorteners are totally untrustworthy, but so are links that push you to a php page, and there are all sorts of links full of various kinds of gibberish so you never know where they're going to link you to. It's not too bad if you don't have javascript enabled, but just try to convince people to avoid it. I've got to admit that even I have javascript enabled, though I do have an ad blocker running. But this causes me to be a bit paranoid about what links I click.

Re: Do away with links in emails already!

[ShanghaiBill]

Sure, you just got about 6 and a half billion more people to teach about PGP.

People didn't have to learn about cryptographic algorithms to use HTTPS. Thee is no reason they need to learn it for secure email either. All that is needed is for Google, Facebook, Microsoft, and Apple to agree on a standard. Everyone else will be forced to follow or be left behind.

Re:Do away with links in emails already!

[Dutch+Gun]

Don't worry. Microsoft is working on making links in e-mail useless.

Re:Do away with links in emails already!

[ShanghaiBill]

The merger between email and browsers with javascript enabled ...

Citation please. Can you name a single email client or app, less than a decade old, that executes JavaScript inside a received email?

Re: Do away with links in emails already!

[Bert64]

There is a standard - S/MIME, OSX/iOS mail and Outlook all support it by default, not sure about Gmail...
The problem is it takes effort to configure, so noone does.

Re:Do away with links in emails already!

[Bert64]

Use an isolated and hardened system for accessing the web, keep business systems airgapped from the public internet, what limited data needs to pass back and forth is easier to check. Your developer only needs to read, not usually copy large amounts of data.

Re: Do away with links in emails already!

[Bert64]

Thats the UI for the webmail system, not javascript embedded in the content of received messages.

Re: Do away with links in emails already!

[Aighearach]

You do know that if there is js in an email, and you use the gmail web client, it doesn't pass that shit through?

No, you didn't. And yet! lol

I don't even think you were just leaning on an inappropriate pedanticism that isn't relevant. I think it is a worse problem.

Re:Do away with links in emails already!

[HiThere]

Read what you quoted again!
Try it as grouping it as "The merger between email and [browsers with javascript enabled]"

Re: Do away with links in emails already!

[david_thornley]

People didn't have to learn about cryptographic algorithms to use HTTPS.

Of course not. All technical details are handled by the software. The user doesn't have to have a clue that something called a "key" is involved. A random key can be generated and discarded, since it's of no use after the session, and doesn't have to be used on any other browser.

This won't work for email. To use PGP effectively, the user must generate a key pair and publicize the public key. This means that the user has to be aware of a multi-kilobit persistent key, and safeguard it and transfer it to any mail client the user reads email on. If the user loses the key, all future email is unreadable. If the private key gets known to others, the others can pose as the original user and there's no reliable way to tell the difference. All of the other details can be handled in software, but key management is vital.

Lots of us here know what's going on, and know how to handle this situation. Very few people in the general population do.

secured ?

[johnjones]

the email system never verified the URL nor where the email was from

so your email system is so poor you have to rely on the end user not to click on a link ?

simply block / rewrite URL's that have not been verified

only accept mail from domains that have been verified and claim the email is from them
(for example that have DNSSEC and DANE setup correctly as gov address's have this and can therefore prove that they sent the email)

simple basics that are not the end users fault

Re:secured ?

[Sarten-X]

There is no technical solution for user awareness.

Sure, you can verify senders... then you only get spam from compromised hosts, or free relays/mass-mailers, or any other way that attackers are increasingly using to get around such things.

You can mangle unrecognized URLs... but then your users complain that their legitimate emails from partners and vendors aren't getting through properly (especially when they just signed the contract), and it still doesn't help when the attackers use bit.ly and other common services to hide.

Once all that has failed, you're still relying on end users to not click links... but if you sold your boss on this "simple basics" security checkbox, you suddenly realize that you never got funding for a user-education course, and that targeted phishing campaign is now wildly successful and claiming victims across your enterprise.

Sure, go ahead and include all of that technical wizardry, and it will indeed reduce your exposure, but please don't spread the myth that a technical barrier is a one-step fix for email security problems. Users are the last bastion of a defense-in-depth solution, which is also one of those "simple basic" concepts.

Re:secured ?

Rewriting URL's is in theory good-- but in reality, try having a technical discussion with someone that involves web development or administration.

Better yet, try following a vendor-supplied link to their support site. Or activating your account on a vendor site.

URL rewriting makes email practically useless for my job.

Michican has a few Great Lakes

[Mister+Liberty]

They like their phishing up there.

Re:Headline?

It's a grammatically correct headline. Learn to read: "1 in 3 Michigan Workers Tested" is the noun phrase (containing a participle form of verb used adjectivally) serving as the subject of the verb "Opened," which takes "A Password-Phishing Email", which is the noun phrase in the role of object for the transitive verb.

If it's to be nitpicked, one might nitpick that it should read "Password-Phishing Emails" or just "Password-Phishing Email" (no "a" which should be omitted in the headline for brevity reasons anyway).

But just because you can't read doesn't mean other people shouldn't write like educated people.

This is tough ...

[CaptainDork]

... and I dealt with it during my career. I'm a retired IT.

I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.

It was a law firm and the staff never fell for phishing.

My problem was the fucking lawyers, especially the managing partner!

That bastard would click on anything.

He got a goddam email that said his UPS package wasn't going anywhere unless he looked at the invoice and corrected the address.

I asked him if he sent anything via UPS and he said, no.

I asked him if he remembered signing an exclusive with FedEx that I negotiated and he did.

I asked him if he, personally, ever sent a package anywhere or if he let his staff do that -- he said staff.

He did that shit over and over again.

--

I'm waiting for AI to step in; predict the outcome of clicking on a link and forbidding forward progress until an IT person concurs.

Re:This is tough ...

[Freischutz]

... and I dealt with it during my career. I'm a retired IT.

I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.

It was a law firm and the staff never fell for phishing.

My problem was the fucking lawyers, especially the managing partner !

That bastard would click on anything.

He got a goddam email that said his UPS package wasn't going anywhere unless he looked at the invoice and corrected the address.

I asked him if he sent anything via UPS and he said, no.

I asked him if he remembered signing an exclusive with FedEx that I negotiated and he did.

I asked him if he, personally, ever sent a package anywhere or if he let his staff do that -- he said staff.

He did that shit over and over again.

--

I'm waiting for AI to step in; predict the outcome of clicking on a link and forbidding forward progress until an IT person concurs.

Was his name Homer?

Re:This is tough ...

[cyn1c77]

... and I dealt with it during my career. I'm a retired IT.

I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.

It was a law firm and the staff never fell for phishing.

My problem was the fucking lawyers, especially the managing partner !

That bastard would click on anything.

Obviously, he was looking for someone to sue!

Re:Headline?

[v1]

OPENED the email, or actually pursued it? (clicked a link, replied to the email) Depending on the subject line, it may be totally innocuous looking until you OPEN the email and read the content.

Re: Shows blue states are not tech savvy

[Excelcia]

Holy frak guys, just start the second civil war already. The rest of the world knows it's coming, might as well just get down to it.

1 in 3 are forced to use bad email software

[Mozai]

"Opening" an email is tracked by whether an image in the HTML version of the email was fetched. Too many email clients will pre-fetch images so that it will look better or open faster when the human user finally does click on the item in their inbox. Knowing government employees, they aren't allowed to chose email software for work, and the config settings are locked-down. I expected that "opened the email" statistic to be way higher because government employees usually don't have a choice.

The 20% is the important statistic and that's scary enough already; no need for ABC News to embellish the story.

Re:1 in 3 are forced to use bad email software

[Aighearach]

Good idea, but you have some problems. If they're not in control of their clients and the clients were pre-fetching the images, wouldn't you expect it to be much higher than [some percent?] If the policy changes from team to team, you already gave up your whole "gubermint no choices" narrative.

Also at the other end, there are people like me who don't let the client display images even when I "open" (read: read) the email. It seems pretty silly to me that I think I might be getting a targeted attack message, and I wouldn't even look at it! A lot of those messages can infer information about what type of attack you're under. It is definitely worthwhile to scrutinize them closely so that you can be aware in advance that there might be other types of social engineering attacks made against you or your company by the same actor. Don't click the links, but don't just ignore all attacks, either.

So I did read the phishing email, but no, I didn't load a tracking image.

Re:Headline?

[ShanghaiBill]

OPENED the email, or actually pursued it?

Opening an email in a modern mail client or web app should be harmless. Some old apps would automatically load html-linked images, but if that is still a problem, it is not the user's fault.

Re: Shows blue states are not tech savvy

[arth1]

Michigan has been the home of communism since Henry Ford died.

Back in the days when communists were red and conservatives were blue, i.e. before a TV channel employee got the two mixed up in a poll presentation and the wrong colours stuck in the minds of largely ignorant Americans.

What we have in the US these days is brown.

Re:Headline?

[arth1]

Some old apps would automatically load html-linked images, but if that is still a problem, it is not the user's fault.

If it's configurable, in a way that A Reasonable Person would understand how to, they get some blame too.
It's not like if IT doesn't do their job, that absolves workers. Security is something that needs to be thought about by everyone, from janitor to CFO.

Re:Headline?

[ls671]

hehe, I still use pine just to make sure, so it isn't only "modern mail client or web app" :)

Those numbers are actually good!

[hibiki_r]

I've been a part of aggressive, well crafted phishing tests in Silicon Valley companies. Some of those tests were secret enough that only 3 people were aware of the test in advance... and the results were terrifying. Thanks to HTML abuse, forged headers and very good copy, I've seen 70% of storied security teams fall for the phishing attempt, going as far as to enter their 2fa values for AWS. In a real world situation, just one person falling for it would have been a problem.

In practice, what I have learned is that against a sophisticated opponent, any security system that relies on just usernames, passwords, and simple 2fa might as well not exist. The bare minimum is unique usernames and passwords just to double check that the right human is on the other side, attached to client certificates that are unique to each machine, and strong mechanisms to make sure that nobody generates user + certificate pairs for new computers without big flashing signs popping up. Anything weaker is just relying on being an uninteresting target, which is not a good thing to rely on.

Re:Those numbers are actually good!

[mikael]

We had courses at my work place. Things to look for include mis-spelt words, links that didn't use https and/or moved to a different domain from the sender. Which makes me ask, why couldn't an email filter pick this up.

Re:Those numbers are actually good!

We had courses at my work place. Things to look for include mis-spelt words, links that didn't use https and/or moved to a different domain from the sender. Which makes me ask, why couldn't an email filter pick this up.

That's also my question.
  How often do corporations of any size used spoofed headers for business emails? They do that for their newsletters, advertisements, and email surveys and crap, yes, but not for invoices and person to person communications.

I wish our email client had a configuration to flag to the user "This email's sender does not match the actual origination." As well as "This email appears to have originated in Bulgaria". If we actually had a vendor in Bulgaria, the people who handled that account would already know who that was and could continue, but a clerk at the front desk would have gotten a clear warning.

Re:Those numbers are actually good!

[AHuxley]

Great for contractors renting AV gov/mil solutions too.
Think of the clean up contracting over time for every email opened and clicked.
The renting of new tools after a criminal malware event that are then suggested.
The US party political cyber news if the very average criminal malware is "Bear" or "Russia" related too.

What would happen if workers did not click? Thats money off the table for contractors who have to have AV products to sell.

Re:Those numbers are actually good!

[Aighearach]

I include, "asks me to do something that would be really non-secure and provides a link to make it convenient."

Security and convenience are a trade-off, if you're distributing real information to technical workers that they would take actions based on, you don't want to even try to make it convenient with links. You want to just give them the data: "Foo has problem Bar, please log into your Secure BlahBlah and don't forget to wipe the cargo port with the rubber chicken." No link. If they don't know how to access Secure BlahBlah, then they shouldn't be accessing it.

Here in the US, if the email was actually something important and I didn't respond, they'd have to notify me by registered mail instead. So things you'd actually have to respond to would all be for internal, company-controlled reasons where the technology can be matched with the use case.

Our State IT department conducts these tests, too

The problem is that they also use a number of 3rd party vendors (with non-State domains) to host various official systems. They conducted a mandatory survey of employees once (survey monkey, iirc) and had to send out a follow-up e-mail telling everyone that the first e-mail was real and was safe to click on. Apparently, a large percentage of people were reporting the e-mail as a phishing attack or simply ignoring it.

It didn't help that the mandatory yearly cyber-security training came out shortly before the survey and how the survey e-mail was written and the type of questions asked in the survey ticked off a number of the "This is how you spot a phishing attack" pointers from the training.

Re:Headline?

[jandrese]

From Line 1 of the summary:

nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password

The 1/5 entering their password into the website is the buried lead IMHO. That's absolutely ridiculous.

ahem

[cascadingstylesheet]

That's of State of Michigan workers, not "Michigan workers". (Before the coasties get too smug)

(Then again, I wouldn't expect much better from a typical company. Anywhere.)

Monthly phishes from security really help

[raymorris]

I have found that when the security team sends out "phishing" emails about once a month, that helps. Opening the link takes the employee to a page reminding them about phishing. If instead they click the "report" button in Outlook, they get a happy message. It changes behavior after a few months.

Re:Headline?

[iamhassi]

And would encourage someone techie to start sending out phishing emails if they weren't doing it already. 20% success rate is pretty good, much higher than I thought it would be.

Re:Shows blue states are not tech savvy

[iamhassi]

Michigan turned red in 2016. Conservatives like you are really a stupid bunch, but we knew that already.

One election doesn't change the dozens of years of voting history

Re:Small wonder

[iamhassi]

You nailed it, everything that has ever happened is somehow related to Trump. Some worker opens an email? Trump did that

Management's fault

[iamhassi]

Quick search revealed at least a dozen companies that offer phishing tests to employees, to send fake phishing emails to them to see if they open and click on links. If management isn't using these tools when so many are available they're as much responsible as if they chose not to use virus scanners or network firewalls. And why doesn't Google, Microsoft and the other email providers do more by sending fake phishing emails out to educate users more? All it takes is a few fake phishing emails to educate users. First time is 20% entering passwords, second might be 10%, by the time you get to fifth fake email you're probably at less than 1% and only a few percentage higher even opening the email.

I got probed at work like this

[WinstonWolfIT]

I configure my mail clients to only put my inbound in my inbox if you're in my collected addresses. When the report came out, it was an email I simply never saw. But... about 1/3 of this high tech company got phished. On the downside I kinda sorta failed because I didn't report the suspicious email. Meh.

Responsibilities

[demon+driver]

It's not like if IT doesn't do their job, that absolves workers. Security is something that needs to be thought about by everyone, from janitor to CFO.

Simply declaring such a responsibility, whether rightfully or not, doesn't improve security an inch. That would be magical thinking.

Obvious fact is, people who are no IT specialists tend to lack the awareness and knowledge to be able to fulfill such a responsibility. If employers, or, in case of public service, we as a society, want employees to care for security, employers have to make sure that they get proper training. Something that obvously has been neglected in the cases we're talking about here. It's as simple as that.

Re:Responsibilities

[Bert64]

Current operating systems are designed by and for IT specialists, they are not suitable for people without such knowledge. If you need to use something that can only be done on such a system then you should receive appropriate training on how to use it properly, and/or use a machine that is managed by someone who does have the appropriate knowledge.

Re:Responsibilities

[arth1]

Simply declaring such a responsibility, whether rightfully or not, doesn't improve security an inch. That would be magical thinking.

True. Merit for those who do well, and demerit and eventually replacement for those who don't, on the other hand, should work.

employers have to make sure that they get proper training

The problem is not with knowledge, it is with attitude and aptitude. There are people who will never act in safe manners, no matter how much training they receive are hired by people who don't care.

I have held computer security classes, and generally, they only help those who have an interest. People who are trusting, gullible or greedy by nature won't change due to mere knowledge transfer. They will always be a vector of attack, and no matter what safeguards are put into place, as long as people are allowed to communicate, the weak human links will be exploited.
The only recourse I see is to avoid hiring weak links, and get them out before they break.

Re:Headline?

[Bert64]

Opening an email should be a safe action, until you've opened it you have no idea what it contains and it might be a perfectly legitimate mail. The IT department should ensure that opening mails and reading their contents is safe.
Visiting a site linked from an email should also be safe, and that's also the responsibility of the IT department to ensure that browsers and plugins are kept up to date and appropriately hardened against attack.

Actually entering passwords into a site is the only thing users shouldn't be doing, and this is often partly the companies fault too - in many companies there are legitimate emails which ask you to visit a site and enter creds, so users learn these poor practices and are more likely to fall for the scams, especially highly targeted scams done by someone who has actually researched the target organisation.

Re:Shows blue states are not tech savvy

Michigan has a republican governor, state senate and state house, and has for the last 8 years. It's had a republican senate for the last 12 years. Currently, in the house and senate, they have a super-majority.

We've got one of those fine cases of gerrymandering. Michigan isn't as extreme as some other places, but our districts have been drawn to "crack" and "pack" to pretty much hand the republicans the majority. My district is 9 houses wide at my section, and extends 6 miles in each direction where they expand to dilute our votes.

Re: Headline?

[mmcleod]

Is it 20% of all people who got the email, or 20% of the people who opened the message and clicked on the link?

ANTHEM legit communication looks like phishing!

AC for obvious reasons.

Got a phone call from Anthem. They left a voice mail with a number of personal details (name of family members) and asked for a call back to some 1-800 number, The originating phone number was not listed on their web site. I called back the 1-800 number and it asked for personal details such as date of birth. "To make sure it's you, please enter your date of birth."

Uh... No.

I hung up and sent my HR department a note telling them that someone was conducting a phone phishing campaign on employees. Hey, they were using phone numbers that were not listed as Anthem's, so that was obvious, right? I expected that this was the end of it, but HR duly contacted Anthem.

A few days later, I got an irate email from some Anthem customer communication guy that, in essence, tells me I am a fool and that this is not phishing but a business-as-usual communication, and can I please stop wasting his time and comply?

I am flabbergasted. These Anthem guys have my email, a site on which they can send me personal notifications, and of course my mailing address. And they chose to sent automated phone calls from unverifiable origin? With personal detail requests that sound furiously like spear phishing? SERIOUSLY?

Does anyone in that company have any bloody clue?

Did anyone else get this type of legit-sounding-phony calls?

Re: Shows blue states are not tech savvy

[Aighearach]

Holy frak guys, just start the second civil war already. The rest of the world knows it's coming, might as well just get down to it.

In before Han shoots first!

Re:OK, I am an IT person in Michigan. Now...

[Aighearach]

The part you missed is that the purpose of the audit is to find out what the state of the situation is. It is not the purpose of the audit to assign or restrict Virtue.

So the whole, "Golly it isn't their fault but they look bad" angle is really weak. If you know better, simply refrain from thinking the wrong party is responsible, and take the message as, "there is no system, and the users aren't expert enough to do it right without a system." You don't hide that from ebil "papers" in order to protect people's Virtue, instead it is good for the People to know that there is no working system. Maybe some people later will react by putting a system in place?

Your response is what I'd expect from a representative of the Neckbeard Union or something, just trying to white knight it and protect people not under any attack.

Any design where people must do the right thing...

[gestalt_n_pepper]

...all the time has already failed.