USPS staff take the bait in phishing test
- By Derek Major
- Oct 09, 2015
Phishing attacks are one of the most common ways to infiltrate a system. And recent study by the U.S. Postal Service's Office of the Inspector General shows why.
According to the report, the OIG sent phishing emails of its own to 3,125 USPS employees, to see if staff would click on a potentially dangerous link -- and if they would report the suspect emails, as required by USPS policy. One in four recipients clicked on the link, and just seven percent reported the message that landed in their inbox.
Even among those who clicked on the phishing link, 90 percent failed to report the potential security breach. (Among IT staff, that figure was 91.5 percent; for management, 94.1 percent.)
The report also found that the vast majority of employees who received the email (95 percent) had not taken USPS’s annual information security awareness training, because only new hires and office employees are required to complete it. Of the 789 employees who clicked on the phishing link, 750 had not received the training. And OIG investigators noted that USPS’s training does not completely explain how to identify and report phishing emails.
USPS officials took issue with the report's characterization of the test results as a 93 percent failure -- saying that even with 7 percent of employees reporting the phishing email, the agency received more than 100 reports of the email within the first hour.
The OIG recommended that all USPS employees with network access take the annual information security awareness training.
Derek Major is a former reporter for GCN.