Phishing lure snags 1 in 3 FHFA employees targeted
- By Derek B. Johnson
- Feb 15, 2019
More than one third of employees at the Federal Housing Finance Agency failed to follow the proper response protocols when subjected to a fake phishing attack, according to an audit, which also cited a number of other vulnerabilities present at the agency's network perimeter.The agency's Inspector General's Office ran a mock phishing attack against 50 employees as part of an annual Federal Information Systems Management Act audit and found that 17 -- or 34 percent -- failed the test.
The report is substantially redacted, and it's not clear how many employees may have actually clicked on a malicious link or failed to follow other internal protocols. According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.
FHFA oversees Fannie Mae and Freddie Mac and the Federal Home Loan Bank System. The agency had 753 employees in 2018 according to the Office of Personnel Management.
The audit also scanned 376 of the agency's internet-facing IP addresses and found a number that were relying on outdated encryption protocols. This was mostly due to the use of outdated equipment, with FHFA managers telling auditors that the machines associated with the flagged addresses could not support more advanced versions of the software needed to run higher-grade encryption. However, auditors were unable to leverage these vulnerabilities to gain access to FHFA networks and systems.
Auditors made three recommendations: replace any outdated machines incapable of running the latest encryption protocols, continue conducting regular phishing tests on employees and emphasize best email security practices.
CIO Kevin Winkler said the agency plans to replace the older machines this year and laid out a number of additional actions to further test email security practices.
"FHFA will evaluate its latest phishing email test results by June 30, 2019 to determine if its end user phishing email training need to be enhanced," said Winkler. The agency will also add a warning banner on external email by the end of March.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.