US Army red faced after phishing test sets off Defense Department email storm

Well-intentioned 401k "attack" causes panic

A US Army commander's well-intentioned plan to test how easily his staff would fall for phishing scams went farcically wrong last month after recipients believed the email was real and forwarded it as a warning to thousands of staff in other government departments.

The would-be phishing email was originally sent to a small group of army staff, warning that their 401k Thrift Savings Plan retirement account had been breached and asking them to reset their passwords, according to The Washington Post. Unfortunately, some of the recipients were so alarmed they helpfully decided to share it with colleagues.

As messages spread, this set off a feared phenomenon well-known to Internet watchers - the email storm.

Many thousands of staff at agencies including the Department of Defense (DoD), FBI, Customs and Border Protection, and the Labor Department eventually received the forwarded emails, overloading the Thrift Savings Plan - a real organisation - with worried phone calls.

It took the US Army three weeks to trace the bogus phishing alert back to its origins, a phishing test by a single commander that had gone horribly and embarrassingly out of control.

This sort of test can be extremely useful but only if correctly designed, commented Aaron Higbee, CTO and founder of phishing test outfit PhishMe.

"This exercise committed every cardinal sin of simulated phishing by lacking defined goals, failing to consider the ramifications the email could have, failing to communicate to all potentially involved parties, and perhaps abusing trademarks/trade dress or copyrighted material," said Higbee in a blog.

Borrow a real brand for the exercise was a particular flaw, something that risked legal problems, Higbee said.

"Without defined goals, what is the point of simulating a phishing attack in the first place? If the commander's goal was to demonstrate susceptibility, a simulation isn't necessary."

Ironically, The Washington Post reports that not a single person clicked on the fake site.

Red-faced Department of Defense officials have decided not to discipline the unnamed commander who set up the test simply because there are no agreed guidelines in place. Future tests will need official approval and will be carried out according to new rules.

"This is people's nest eggs, their hard-earned savings. When you started hearing TSP of all things, the rumor mill ran rampant," an official told the newspaper.

This kind of phishing-goes-AWOL cock-up isn't unprecedented. During a 2010 phishing test that went awry airmen at Guam Air Force fell for a pretend email inviting them to apply to appear in the Michael Bay movie Transformers 3. The ruse worked a treat; many of the targets happily submitted sensitive information to a website, details of which then leaked to the Internet.

Feature: An employee clicked on a phishing link - should they be punished?

Copyright © 2014 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.