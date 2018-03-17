1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com) 19
An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
Opening the email is bad? (Score:3)
In other words, opening the email isn't (err, shouldn't be) the problem. It's what you do after that that's the problem.
Then again, I don't use Outlook so opening the email isn't all that hazardous to me.
Re: (Score:2)
From TFS: "almost one-fifth entered their user ID and password."
The headline probably should have led with that.
Bad metrics (Score:3)
1/3 opened the email? That means that 2/3 don't read their email.
You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.
Do away with links in emails already! (Score:2)
Seriously, these phishing scams have been going on for far too long now and cost billions. If there is information that can not be disseminated people should be directed to go to a well vetted website.
secured ? (Score:2)
the email system never verified the URL nor where the email was from
so your email system is so poor you have to rely on the end user not to click on a link ?
simply block / rewrite URL's that have not been verified
only accept mail from domains that have been verified and claim the email is from them
(for example that have DNSSEC and DANE setup correctly as gov address's have this and can therefore prove that they sent the email)
simple basics that are not the end users fault
Michican has a few Great Lakes (Score:2)