Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

May 12, 2010

Self-phishing not risk-free

Unusual story in PC World about the unanticipated consequences of sending a fabricated phishing story to employees as an awareness-raising exercise:

Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well.

The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.

This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.


As with penetration testing, contingency exercises and so on, it's important to consider the risks of the test/exercise. This particular one may well have achieved its aim of making everyone more aware of phishing, but at what cost?

Updated 12th May 2010
A few enterprising companies are exploiting the market by turning phish-spotting into an online game. If you genuinely think your employees will enjoy playing cartoon games, go ahead. I know a few six-year-olds who would turn their noses up at the cheap Disney-style graphics (complete with fish wearing spectacles). [Hint for the uninitiated: information security awareness, training and educational activities are, in the main, ADULT learning activities. Please don't demean your grown up employees by implying that they are pre-schoolers.]