recommended reading

After USPS Phishing Hack, Audit Shows Postal Workers Still Click on Links


Months after a suspected malicious email attack breached U.S. Postal Service personnel data, a quarter of agency employees fell for a simulated email scheme, according to an internal watchdog. 

As previously reported, unknown hackers accessed the Social Security numbers of about 800,000 USPS employees, along with medical information on 485,000 personnel from workers' compensation claims, in September 2014. 

This May, the USPS Office of Inspector General sent bogus emails to a sample population of agency employees as a way of evaluating compliance with incident reporting policies.

The result: 789 of the 3,125 employees baited -- or 25 percent -- clicked on a phony link in the "phishing" email, according to an IG audit publicly released Wednesday. Most of the would-be victims were administration personnel and operations workers.

After clicking on a test email or even just receiving one, almost nobody (7 percent) reported the incident to the USPS Computer Incident Response Team, as required. 

The inspector general is not releasing the names of employees who were part of the assessment to management.

The 2014 hack, which USPS officials disclosed last November, "appeared to be caused by a phishing email attack," Michael Thompson, acting deputy assistant IG for technology, investment and cost, said in the audit.  

Most of the participants in the recent phishing drill (96 percent) had not completed annual information security awareness training, including 95 percent of the clickers, the report found.

"When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats," Thompson said. 

Currently, only new hires and chief information office personnel are required by policy to complete the curriculum every year. 

The Postal Service system, one of the largest corporate email networks, manages 3.5 million messages a day among 200,000 email accounts, according to the inspector general.

USPS officials said the evaluation took place right at the start of a new cybersecurity training course, adding that the 25 percent click rate is comparable to industry benchmarks for organizations just beginning their training. The new course focuses on how to identify phishing traps, officials said.

According to the audit, inspectors captured responses to the fake emails between May 27-June 4. 

“We agree that annual security awareness training, which included phishing awareness training, is critically important for the organization,” Greg Crabb, USPS chief information security officer, said in a Sept. 18 written response to a draft report. “We are emphasizing the need to report then delete suspicious emails” through the new educational initiative.

Postal employees are not alone in the struggle to spot deceptive emails. Phishers even gained a foothold into the Joint Chiefs of Staff administrative email network over the summer, according to Ars Technica, faking emails from a bank used by many service members.

About 18 percent of federal IT professionals ranked phishing among the primary security threats affecting their agencies, while negligent insiders were the most pervasive hazard, garnering 44 percent of votes, according to an Oct.1 Ponemon Institute study.

A suspected Russian cyberspy campaign, Pawn Storm, has been targeting defense sector, government and other high-profile individuals in Ukraine and the United States via password-stealing phishing attacks, security firm TrendMicro recently reported. The attempted compromises were aimed at an array of webmail providers like Gmail, Yahoo, Hushmail and Outlook, the researchers said. 

(Image via wk1003mike/

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.