1 in 3 Michigan Workers Tested Opened A Password-Phishing Email

An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

Sounds about right

We have similar results during my companies initial phishing test so I suspect that this result is not uncommon. Sending out training and multiple rounds of phishing test emails (which then require more training if you click) is the ONLY way to bring this number down. The users need to be made as paranoid as possible before clicking ANY links. After a year and a 1/2 we still have a few repeat offenders who still click on the links or enter username/passwords so Multi factor authentication was implemented, but its far far less then we previously had. Posting as AC for obvious reasons.

Re: Sounds about right

[mikael]

Did the same to the debt collection department of my credit card bank who called me up; Indian accent - check, city with high social deprivation - check, telephone number with no SMART id (don't know what SMART is, but if the number doesn't have it, it must be a phishing attempt - check). Just make up some names and numbers and drop the call when they asked for my debit card number. Wouldn't they know that if they were from the bank? Tell them the cheques in the post.

Opening the email is bad?

[Snotnose]

I've got the sender and subject visible to me, if they look legit of course I'm gonna open it. I don't click links unless it's something like a new website setup or lost password reset or somesuch where I'm expecting a message. I never enter logins nor passwords to links I get in email.

In other words, opening the email isn't (err, shouldn't be) the problem. It's what you do after that that's the problem.

Then again, I don't use Outlook so opening the email isn't all that hazardous to me.

Re:Opening the email is bad?

[novakyu]

From TFS: "almost one-fifth entered their user ID and password."

The headline probably should have led with that.

Bad metrics

[lgftsa]

1/3 opened the email? That means that 2/3 don't read their email.

You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.

Re:Bad metrics

2/3 of slashdot users don't read the article summary.

Re:Bad metrics

[arth1]

I hope they mean that 1/3 opened it in a client that fetched external content or ran a script that connected remotely.

Re:Bad metrics

[sheramil]

You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.

You'd think so. I got an email from someone claiming to work for the Taxation Office. It looked suspicious so I ignored it. Then I got a phone call from someone with an Indian accent, following up on the email. I hung up on them and checked the number; a couple of websites claimed the number belonged to a group of spammers, and some posts said it was a legitimate number from the Taxation Office - as you might expect. I searched the ATO website and couldn't find the number... I spent a couple of days chasing it up; it turned out it was from the Taxation Office, and they wanted to do a phone audit. When I mentioned the problems I had determining the legitimacy of their inquiry, they didn't seem to care.

secured ?

[johnjones]

the email system never verified the URL nor where the email was from

so your email system is so poor you have to rely on the end user not to click on a link ?

simply block / rewrite URL's that have not been verified

only accept mail from domains that have been verified and claim the email is from them
(for example that have DNSSEC and DANE setup correctly as gov address's have this and can therefore prove that they sent the email)

simple basics that are not the end users fault

Re:secured ?

[Sarten-X]

There is no technical solution for user awareness.

Sure, you can verify senders... then you only get spam from compromised hosts, or free relays/mass-mailers, or any other way that attackers are increasingly using to get around such things.

You can mangle unrecognized URLs... but then your users complain that their legitimate emails from partners and vendors aren't getting through properly (especially when they just signed the contract), and it still doesn't help when the attackers use bit.ly and other common services to hide.

Once all that has failed, you're still relying on end users to not click links... but if you sold your boss on this "simple basics" security checkbox, you suddenly realize that you never got funding for a user-education course, and that targeted phishing campaign is now wildly successful and claiming victims across your enterprise.

Sure, go ahead and include all of that technical wizardry, and it will indeed reduce your exposure, but please don't spread the myth that a technical barrier is a one-step fix for email security problems. Users are the last bastion of a defense-in-depth solution, which is also one of those "simple basic" concepts.

Re:Headline?

It's a grammatically correct headline. Learn to read: "1 in 3 Michigan Workers Tested" is the noun phrase (containing a participle form of verb used adjectivally) serving as the subject of the verb "Opened," which takes "A Password-Phishing Email", which is the noun phrase in the role of object for the transitive verb.

If it's to be nitpicked, one might nitpick that it should read "Password-Phishing Emails" or just "Password-Phishing Email" (no "a" which should be omitted in the headline for brevity reasons anyway).

But just because you can't read doesn't mean other people shouldn't write like educated people.

This is tough ...

[CaptainDork]

... and I dealt with it during my career. I'm a retired IT.

I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.

It was a law firm and the staff never fell for phishing.

My problem was the fucking lawyers, especially the managing partner!

That bastard would click on anything.

He got a goddam email that said his UPS package wasn't going anywhere unless he looked at the invoice and corrected the address.

I asked him if he sent anything via UPS and he said, no.

I asked him if he remembered signing an exclusive with FedEx that I negotiated and he did.

I asked him if he, personally, ever sent a package anywhere or if he let his staff do that -- he said staff.

He did that shit over and over again.

--

I'm waiting for AI to step in; predict the outcome of clicking on a link and forbidding forward progress until an IT person concurs.

Re:Headline?

[v1]

OPENED the email, or actually pursued it? (clicked a link, replied to the email) Depending on the subject line, it may be totally innocuous looking until you OPEN the email and read the content.

Re: Shows blue states are not tech savvy

[Excelcia]

Holy frak guys, just start the second civil war already. The rest of the world knows it's coming, might as well just get down to it.

1 in 3 are forced to use bad email software

[Mozai]

"Opening" an email is tracked by whether an image in the HTML version of the email was fetched. Too many email clients will pre-fetch images so that it will look better or open faster when the human user finally does click on the item in their inbox. Knowing government employees, they aren't allowed to chose email software for work, and the config settings are locked-down. I expected that "opened the email" statistic to be way higher because government employees usually don't have a choice.

The 20% is the important statistic and that's scary enough already; no need for ABC News to embellish the story.

Re:Headline?

[ShanghaiBill]

OPENED the email, or actually pursued it?

Opening an email in a modern mail client or web app should be harmless. Some old apps would automatically load html-linked images, but if that is still a problem, it is not the user's fault.

Those numbers are actually good!

[hibiki_r]

I've been a part of aggressive, well crafted phishing tests in Silicon Valley companies. Some of those tests were secret enough that only 3 people were aware of the test in advance... and the results were terrifying. Thanks to HTML abuse, forged headers and very good copy, I've seen 70% of storied security teams fall for the phishing attempt, going as far as to enter their 2fa values for AWS. In a real world situation, just one person falling for it would have been a problem.

In practice, what I have learned is that against a sophisticated opponent, any security system that relies on just usernames, passwords, and simple 2fa might as well not exist. The bare minimum is unique usernames and passwords just to double check that the right human is on the other side, attached to client certificates that are unique to each machine, and strong mechanisms to make sure that nobody generates user + certificate pairs for new computers without big flashing signs popping up. Anything weaker is just relying on being an uninteresting target, which is not a good thing to rely on.

Re:Those numbers are actually good!

[mikael]

We had courses at my work place. Things to look for include mis-spelt words, links that didn't use https and/or moved to a different domain from the sender. Which makes me ask, why couldn't an email filter pick this up.

Re:Those numbers are actually good!

We had courses at my work place. Things to look for include mis-spelt words, links that didn't use https and/or moved to a different domain from the sender. Which makes me ask, why couldn't an email filter pick this up.

That's also my question.
  How often do corporations of any size used spoofed headers for business emails? They do that for their newsletters, advertisements, and email surveys and crap, yes, but not for invoices and person to person communications.

I wish our email client had a configuration to flag to the user "This email's sender does not match the actual origination." As well as "This email appears to have originated in Bulgaria". If we actually had a vendor in Bulgaria, the people who handled that account would already know who that was and could continue, but a clerk at the front desk would have gotten a clear warning.

Re:Headline?

[jandrese]

From Line 1 of the summary:

nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password

The 1/5 entering their password into the website is the buried lead IMHO. That's absolutely ridiculous.

ahem

[cascadingstylesheet]

That's of State of Michigan workers, not "Michigan workers". (Before the coasties get too smug)

(Then again, I wouldn't expect much better from a typical company. Anywhere.)

Monthly phishes from security really help

[raymorris]

I have found that when the security team sends out "phishing" emails about once a month, that helps. Opening the link takes the employee to a page reminding them about phishing. If instead they click the "report" button in Outlook, they get a happy message. It changes behavior after a few months.

Re:Headline?

[iamhassi]

And would encourage someone techie to start sending out phishing emails if they weren't doing it already. 20% success rate is pretty good, much higher than I thought it would be.

Re:Headline?

[Bert64]

Opening an email should be a safe action, until you've opened it you have no idea what it contains and it might be a perfectly legitimate mail. The IT department should ensure that opening mails and reading their contents is safe.
Visiting a site linked from an email should also be safe, and that's also the responsibility of the IT department to ensure that browsers and plugins are kept up to date and appropriately hardened against attack.

Actually entering passwords into a site is the only thing users shouldn't be doing, and this is often partly the companies fault too - in many companies there are legitimate emails which ask you to visit a site and enter creds, so users learn these poor practices and are more likely to fall for the scams, especially highly targeted scams done by someone who has actually researched the target organisation.