recommended reading

After USPS Phishing Hack, Audit Shows Postal Workers Still Click on Links


Months after a suspected malicious email attack breached U.S. Postal Service personnel data, a quarter of agency employees fell for a simulated email scheme, according to an internal watchdog. 

As previously reported, unknown hackers accessed the Social Security numbers of about 800,000 USPS employees, along with medical information on 485,000 personnel from workers' compensation claims, in September 2014. 

This May, the USPS Office of Inspector General sent bogus emails to a sample population of agency employees as a way of evaluating compliance with incident reporting policies.

The result: 789 of the 3,125 employees baited -- or 25 percent -- clicked on a phony link in the "phishing" email, according to an IG audit publicly released Wednesday. Most of the would-be victims were administration personnel and operations workers.

After clicking on a test email or even just receiving one, almost nobody (7 percent) reported the incident to the USPS Computer Incident Response Team, as required. 

The inspector general is not releasing the names of employees who were part of the assessment to management.

The 2014 hack, which USPS officials disclosed last November, "appeared to be caused by a phishing email attack," Michael Thompson, acting deputy assistant IG for technology, investment and cost, said in the audit.  

Most of the participants in the recent phishing drill (96 percent) had not completed annual information security awareness training, including 95 percent of the clickers, the report found.

"When management does not require all employees with network access to take annual information security awareness training, users are less likely to appropriately respond to threats," Thompson said. 

Currently, only new hires and chief information office personnel are required by policy to complete the curriculum every year. 

The Postal Service system, one of the largest corporate email networks, manages 3.5 million messages a day among 200,000 email accounts, according to the inspector general.

USPS officials said the evaluation took place right at the start of a new cybersecurity training course, adding that the 25 percent click rate is comparable to industry benchmarks for organizations just beginning their training. The new course focuses on how to identify phishing traps, officials said.

According to the audit, inspectors captured responses to the fake emails between May 27-June 4. 

“We agree that annual security awareness training, which included phishing awareness training, is critically important for the organization,” Greg Crabb, USPS chief information security officer, said in a Sept. 18 written response to a draft report. “We are emphasizing the need to report then delete suspicious emails” through the new educational initiative.

Postal employees are not alone in the struggle to spot deceptive emails. Phishers even gained a foothold into the Joint Chiefs of Staff administrative email network over the summer, according to Ars Technica, faking emails from a bank used by many service members.

About 18 percent of federal IT professionals ranked phishing among the primary security threats affecting their agencies, while negligent insiders were the most pervasive hazard, garnering 44 percent of votes, according to an Oct.1 Ponemon Institute study.

A suspected Russian cyberspy campaign, Pawn Storm, has been targeting defense sector, government and other high-profile individuals in Ukraine and the United States via password-stealing phishing attacks, security firm TrendMicro recently reported. The attempted compromises were aimed at an array of webmail providers like Gmail, Yahoo, Hushmail and Outlook, the researchers said. 

(Image via wk1003mike/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.