How prevalent are phishing emails at federal agencies?
Barry West, a senior adviser for cybersecurity at the Department of Homeland Security, said at an industry event Sept. 20 that phishing and spear phishing attacks have become hackers’ weapon du jour and preferred means of entry at that agency.
“A few years back, it was denial of service attacks,” he said. “What we’re seeing now is more around phishing. That’s the area we’re seeing the most problems, specifically around spear phishing.”
A March 2017 report from the White House said over 70 percent of agencies use strong antiphishing and anti-malware technologies to safeguard their networks from malicious activity.
Spear phishing entails targeting specific individuals with cleverly crafted emails designed to steal their access credentials. As a result, teams at DHS, like many other agencies, test employees’ acuity for such scams by sending out their own fake phishing emails. Users who click on the links receive more intensive training about phishing scams.
West declined to give specific figures quantifying the agency’s success in preventing these emails, but Jeff Eisensmith, the agency’s CISO, told FedTech last year that the number of users clicking on the potentially malicious links has declined each year. This is in part because DHS keeps more of the hoaxes out of employee inboxes and because users are better at recognizing the scams.
OPM, DOD Take Steps to Train Users on Phishing
DHS isn’t the only agency using this approach to train its users. Several agencies have been vocal about improving their employees’ penchant for clicking on misleading emails.
The Office of Personnel Management boasted about improvement in its users’ judgment in a June 2016 fact sheet.
“The effectiveness of OPM’s increased awareness was demonstrated in a recent DHS phishing exercise where OPM showed significant improvement as compared to prior phishing exercises at OPM and the performance of other Federal agencies,” the agency said.
In addition, at an industry event Sept. 25, Thomas Michelli, acting principal deputy CIO of the Defense Department, gave the example of employees at the Pentagon who were enticed by an email offer for free Washington Redskins tickets only to discover they were actually in line for additional cybersecurity training.
“The tools keep getting better and better around phishing,” West said. “We’ve been able to customize our phishing tools for our environment to what works best. What I’ve noticed is the tools are maturing. It’s about staying current and getting updates for any of this to be successful. It’s staying on top of it. It’s seeing what’s working, what’s happening with your peers, not just government, but private sector and what works with them.”