Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Quarter of USPS Staff Clicked on Phishing Link in Audit

A quarter of US Postal Service (USPS) employees clicked on a ‘phishing email’ designed to test their security awareness in an audit this year, highlighting the ongoing challenge of training staff to spot potential cyber-attacks.

The Office of Inspector General conducted the audit in May this year but the results have only just been released this week.

It claimed that the Postal Service runs one of the largest corporate email systems in the US, with over 3.5 million emails sent to more than 200,000 accounts each day.

However, disappointingly, 789 of the 3,125 employees who took part in the exercise clicked on the link in the phishing email.

What’s more, 93% of those that received the email did not report it to the organization’s Computer Incident Response Team, as required by policy.

The audit revealed that 95% of those who clicked on the phishing link and 96% of those who took part in the exercise didn’t complete the Postal Service’s annual information security awareness training.

The OIG had this to say:

We recommend the acting chief information security officer and Digital Solutions vice president: modify Handbook AS-805, ‘Information Security,’ Section 6-5.3, Training Requirements, to require all employees with Postal Service network access to take annual information security awareness training.

The audit itself was undertaken after a major cyber-attack in November 2014, which is thought to have started with a simple phishing email.

Employees and customers who phoned into the USPS call center between January and August that year are thought to have had their personal details exposed in the attack.

Media relations manager, David Partenheimer, explained in at the time that the information associated with employees “may include” names, dates of birth, Social Security numbers, addresses, employment dates, emergency contact details and more.

No customer credit card information was thought to be taken.

What’s Hot on Infosecurity Magazine?