Operation Phish Phry

How full is the "junk" folder in your email account? If you are like me, it gets filled faster each day with junk email. Most of these emails are simply, well, junk. But some are phishing emails sent by genuine bad guys trying to get me to divulge a password, Social Security Number, account number or other personally identifiable information (PII). We all get these phishing emails, and they are clever.

Yesterday, the FBI announced its Operation Phish Phry. According to the FBI:

The defendants in Operation Phish Phry targeted U.S. banks and victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. More than 50 individuals in California, Nevada, and North Carolina, and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft.

In conjunction with this, FBI Director Robert Muller was in San Francisco addressing the Commonwealth Club. His remarks included the following:

Most of us assume we will not be targets of cyber crime. We are not as careful as we know we should be. Let me give you an example.

Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet “phishing” scam—“phishing” with a “P-H.” This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a “teachable moment.” To which she replied: “It is not my teachable moment. However, it is our money. No more Internet banking for you!”

Wowsers. The head of the FBI is human. And to use his own embarrassing experience to illustrate that we all are at risk shows me he is also a pretty big man.

At the upcoming PCI Workshop in Long Beach (also a link on your right), I planned a little phishing exercise. It may not be Operation Phish Phry, but I think it will open your eyes a little to the risks in your email inbox.

Phishing should be part of your user training. Read Director Muller's remarks and see how you can use this information in your own internal training.