I’ve been at the lab for a long time. I thought I had a good feeling for how computer users behave here. After all, I’ve been preaching to them for a long time about the potential dangers of email links. Over 1,900 employees and users have taken ITNA-required anti-phishing training, so I was confident that the lab would score well on a mandated phishing exercise. I predicted that there would be very low click rates.
Well, I was dead wrong. In addition to all the actual malicious phishing that arrives every day, in the past month, all lab email users received two messages that were designed by the lab cybersecurity team. Despite a plausible outward appearance, each of these messages had several clear indications that they were not legitimate email messages. One with the subject “ICT Service Desk” asked users to click on a link to a to reset an unspecified password. The second, with the subject “UPS Status Notification,” asked users to click on a link to get information about delivery of a UPS package being shipped from Redmond, Washington, to Batavia, Illinois. (For details about just what the phishing giveaways were in these messages, see the new Security Awareness website at securityawareness.fnal.gov.)
Anyone who clicked these links immediately learned the phishing emails were bogus, and no harm was done. Had these actually been sent by someone other than the security team, the 199 users who clicked the first message might have had their login credentials stolen, and the whopping 753 who clicked the second would have downloaded a malicious payload to their computers. Remember that careless actions on the part of a single user can potentially have serious and dire consequences for the entire laboratory.
So please help me out. Phishing is happening all the time, and some of it will again be testing by the security team. Take the lessons of this first exercise to heart. Help us restore our reputation by making sure we score much better on the next exercise!
Irwin Gaines is the Fermilab chief security information officer.