After USPS Phishing Hack, Audit Shows Postal Workers Still Click on Links

Months after a suspected malicious email attack breached U.S. Postal Service personnel data, a quarter of agency employees fell for a simulated email scheme, according to an internal watchdog. 

As previously reported, unknown hackers accessed the Social Security numbers of about 800,000 USPS employees, along with medical information on 485,000 personnel from workers' compensation claims, in September 2014. 

This May, the USPS Office of Inspector General sent bogus emails to a sample population of agency employees as a way of evaluating compliance with incident reporting policies.

The result: 789 of the 3,125 employees baited -- or 25 percent -- clicked on a phony link in the "phishing" email, according to an IG audit publicly released Wednesday. Most of the would-be victims were administration personnel and operations workers.

After clicking on a test email or even just receiving one, almost nobody (7 percent) reported the incident to the USPS Computer Incident Response Team, as required. 

The inspector general is not releasing the names of employees who were part of the assessment to management.

The 2014 hack, which USPS officials disclosed last November, "appeared to be caused by a phishing email attack," Michael Thompson, acting deputy assistant IG for technology, investment and cost, said in the audit.  

Most of the participants in the recent phishing drill (96 percent) had not completed annual information security awareness training, including 95 percent of the clickers, the report found.

"When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats," Thompson said. 

Currently, only new hires and chief information office personnel are required by policy to complete the curriculum every year. 

The Postal Service system, one of the largest corporate email networks, manages 3.5 million messages a day among 200,000 email accounts, according to the inspector general.

USPS officials said the evaluation took place right at the start of a new cybersecurity training course, adding that the 25 percent click rate is comparable to industry benchmarks for organizations just beginning their training. The new course focuses on how to identify phishing traps, officials said.

According to the audit, inspectors captured responses to the fake emails between May 27-June 4. 

“We agree that annual security awareness training, which included phishing awareness training, is critically important for the organization,” Greg Crabb, USPS chief information security officer, said in a Sept. 18 written response to a draft report. “We are emphasizing the need to report then delete suspicious emails” through the new educational initiative.

Postal employees are not alone in the struggle to spot deceptive emails. Phishers even gained a foothold into the Joint Chiefs of Staff administrative email network over the summer, according to Ars Technica, faking emails from a bank used by many service members.

About 18 percent of federal IT professionals ranked phishing among the primary security threats affecting their agencies, while negligent insiders were the most pervasive hazard, garnering 44 percent of votes, according to an Oct.1 Ponemon Institute study.

A suspected Russian cyberspy campaign, Pawn Storm, has been targeting defense sector, government and other high-profile individuals in Ukraine and the United States via password-stealing phishing attacks, security firm TrendMicro recently reported. The attempted compromises were aimed at an array of webmail providers like Gmail, Yahoo, Hushmail and Outlook, the researchers said. 

(Image via wk1003mike/Shutterstock.com)