Justice Department Phishes Its Own Employees
by Blight Crusader
The Associated Press reports that the United States Department of Justice just ran a phishing scam on its own employees as a security test. You just can’t make this stuff up. These are the guys that are supposed to be monitoring and prosecuting phishing scams themselves, remember. Here is the AP report in full:
The Justice Department doesn’t have to look far to find a scam that preys on people whose retirement plans have been crippled by the global financial meltdown. It designed one of its own. And e-mailed it to agency employees.
The bogus offer — signed by “Thrift Savings Plan Account Coordinator” — was sent two weeks ago and directed employees to a Web site and asked them to plug in account information by Jan. 31.
The hoax triggered a bout of anxiety and warnings among Justice Department employees.
One worker, identified only as a “national security specialist” at the U.S. attorney’s office in Portland, Ore., warned colleagues in a mass e-mail Tuesday night, “DO NOT respond to this message. DO NOT provide your user ID or password.” The subject line read, “URGENT – TSP hoax.”
The Justice Department, which acknowledged Thursday that the e-mail was a hoax, is responsible for prosecuting similar computer hoaxes.
On Wednesday, a memo was circulated by Ted Shelkey, assistant director for information systems security, explaining that the savings plan e-mail was a hoax.
“We have learned that the messages are part of a hoax invented and distributed by DOJ to test employee security awareness,” Shelkey wrote.
“The message and the site purported to be the bailout Web site are not malicious,” Shelkey said in his memo. “There is no need to distribute warning messages to colleagues and law enforcement contacts. Please delete all such messages and associated alerts.”
It was unclear who in the department authored and approved the hoax or how many employees received the bogus offer. Shelkey did not immediately respond to an e-mail or to messages left on his office phone Wednesday and Thursday.
The independent Federal Retirement Thrift Investment Board administers the Thrift Savings Plan for federal employees. It operates like a 401(k) plan, with employee and employer contributing money, and had 3.9 million members at the end of 2007.
Justice Department spokeswoman Gina Talamona called the phony e-mail a security test. “This specific exercise was successfully completed within the defined time period,” said Talamona, who works out of the agency’s Washington headquarters.
“Scenarios are intended to represent an example of persistent cyber threats facing today’s Internet users,” she said.
A copy of the bogus offer was provided to The Associated Press by a federal employee who was not authorized to discuss the matter publicly.
On Wednesday — hours after Shelkey sent his e-mail disclosing the Justice Department’s authorship — the plan’s Web site was still treating the episode as a live hoax. It asked to be notified by anyone who volunteered personal information and directed people to another government Web site about “phishing,” the practice of sending e-mails disguised as being from an official institution.
By Thursday, the warning was removed from the retirement plan’s home page.
But this so-called “journalism” doesn’t answer the key question which inquiring minds want to know: How many DOJ employees were actually fooled by this rather obvious phishing scam? How savvy are the people who are supposed to be protecting everyone else from this sort of fraud?
I’d be willing to guess that if any enterprising reporter started pressing this question, that it would soon become a matter of “national security” and that we’d never get an honest answer out of them. Because no matter what the percentage of DOJ employees who fell for the self-test scam (assuming it is higher than zero), it would sure be an embarrassment for the department to actually admit it.
But then, that’s just my guess….
Tags: DOJ, Justice Department, phishing
