Phishing Still Catches Federal Employees Unaware

Continuous training and awareness is the key to protecting high-value agency assets.

Last year, the Defense Information Systems Agency reported that the Defense Department had fended off 36 million malicious emails containing phishing ploys, malware, viruses or all three. And that’s just one federal agency.

The bogus emails that con or coerce users into disclosing key personal data are a major weapon in successful cyberattacks. Nearly 90 percent of successful data exfiltrations and breaches in the federal government over the past few years were the result of phishing attacks, according to William Evanina, director of the National Counterintelligence and Security Center.

While education has helped slow the rate of successful phishing attempts, there are still gaps where the misleading messages can get through. One thing to think about during National Cybersecurity Awareness Month, which kicked off Oct. 1: About 18 percent of those who clicked on test phishing links in 2018 were on mobile devices, according to Verizon’s “2019 Data Breach Investigations Report,” which says that mobile users can be more susceptible to phishing.

The pace of federal work can also feed the phenomenon. “People are constantly filling out forms, constantly replying to messages. Everyone is in a hurry to get things done; it’s a constant barrage. That is when people will click automatically,” says Alex Grohmann, a director on the Information Systems Security Association’s international board.

Employees Respond Best to Realistic Anti-Phishing Training

“Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So, if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”

Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises.