A US Army combat commander decided to run a small experiment to see how many Army employees would fall for a phishing scam. No one fell for it, but the lack of coordination with other government departments led to a scandal.
According to The Washington Post, the phishing emails were designed to look like they were coming from Thrift Savings Plan, a small agency that provides retirement savings services for a majority of federal workers. The emails carried the subject line “Thrift Savings Plan Alert: Passcode Reset” and appeared to come from a tspgov.us email address.
Since no one knew about the exercise, not even TSP, those who received the phishing emails forwarded them to thousands at the Department of Defense, the FBI, and other agencies. They also flooded TSP’s call center with questions.
It goes without saying that the company is unhappy about the entire thing, especially since it made customers worry about the safety of their accounts.
Conducting such exercises is common practice, particularly for large organizations. It provides them information on how well their employees can identify phishing attempts.
However, in this case, experts and officials have highlighted that TSP should have been informed (or asked for permission), and the whole thing should have been better coordinated.
On the bright side, none of the around 100 Army employees who got the emails clicked on the malicious links.