Woops! Army’s attempt at a phishing simulation bombs

At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

Will the Target fallout shift focus away from compliance?

While in the check-out line at Target recently, I observed an interesting exchange that shows just how deep the impact from Target’s massive data breach has been. While rummaging for bills in her wallet, the woman in front of me in line asked the cashier whether anyone still used their credit card at Target anymore. The cashier could only shrug, but the fact that two ordinary people were discussing the impact of a data breach was remarkable, and Target’s recent sales numbers show that people aren’t only nervous about using credit cards at Target, they are avoiding the retailer altogether. Only 33 percent of US households shopped at Target in January of 2014, a 22 percent decline from 2013, and Target’s lowest level of shopper penetration in the last three years.

This is bleak news for a company that has already generated an enormous amount of negative publicity that has led to a U.S Senate hearing, a restructuring of Target’s corporate leadership, and even a change in Target’s employee dress code.