Several organizations have started using (simulated) phishing attacks against their own employees as a security awareness activity. The New York State Office of Cyber Security and Critical Infrastructure Coordination, for example, sent staff an internal email asking them to enter their passwords into a ‘password checker’. 17% of their 10,000 users succumbed and were given additional education. When the exercise was repeated a month later, the phishing email phooled just 7% who were presumably given stronger, more explicit advice and encouragement by management regarding their future career prospects.
More authentication resources