An Army combat commander sending out a phishing email to test whether his staff was keen on cybersecurity got more than he or she bargained for after the message ended up being forwarded to thousands of government employees not aware it was only a test, The Washington Post reports.
Coming from the address of accountservices@tspgov.us, it was a classic phishing email — with an email address and content that looked official — similar in fashion to emails from hackers attempting to trick people into giving them personal information and passwords.
"Spear phishing is a tactic that is only part of the larger attack which is usually focused on obtaining credentials to gain access to private networks and sensitive information," online threat researcher Daniel Cohen told BankInfo Security last July.
While testing military networks and users is a worthy effort — especially with groups such as the Syrian Electronic Army out there actively trying to electronically break into U.S. Central Command— this test was not sanctioned at higher levels of the Pentagon.
The commander who sent out the message was unnamed in the report, but the Post noted that he or she was acting on his own authority to test internal vulnerabilities. Unfortunately, the small group of recipients forwarded it on to others within the Defense Department, Customs and Border Protection, the FBI, and other agencies.
And since the email warned users of problems with their password on the Thrift Savings Plan — the government's version of the 401k retirement plan — it got passed around so much it made its way into an FBI alert.
Defense officials told The Post they will now be setting up Defense Department-wide guidelines for conducting phishing exercises.