Now the federal government is going to phish their own employees to determine if they will "click" on malicious links.
Wade-Hahn Chan of FCW.com reports:
Phishing is a technique of tricking or coercing users into giving up personal information, revealing log-in names and passwords or visiting malware or virus-infected Web sites. The government-sanctioned attacks will be designed to test how well federal workers adhere to organization's e-mail security policies.
FCW.com article, here.
Most stories about phishing concentrate on attacks for personal information, which is later used in financial crimes. While this type of phishing is bad enough, spear phishing targets an organization's information.
With the amount of data breaches - both in the private and public sector - the concerns that employees might be compromising large amounts of information is very real. If anyone wants to see a long list of these breaches (courtesy of the Privacy Rights Clearinghouse) compiled in the past couple of years, you can do so, by clicking here.
No matter how much security you use to protect a system, most of it proves worthless, if a person with access compromises it.
And although most stories about phishing emphasize the impact this has on identity theft and financial crimes, espionage is a valid concern, also.
This might be a very effective tool to raise "employee awareness" on "information security."