Good Fish Versus Bad Phish: Knowing the Difference

The Department of Homeland Security has designated October as National Cyber Security Awareness Month with the theme, “Cyber Security is our shared responsibility and we must work together to stay cyber safe.”

To commemorate the month, the Exchange’s IT Directorate is presenting “mortal combat” in hopes of hooking all associates into helping the good fish beat the bad phish.

Each Monday during National Cyber Security Month, phishing expert Nancy Perry, a data security analyst with the IT Department, will send phishy emails to all associates.

Phishing expeditions

She and her fellow IT security experts will track the number of people who report the phish emails to IT—and those unfortunate souls who’ll click on the link, thus falling for the phish.

To report phish, click on the ‘Report Phish” button on the Outlook menu or send an email to SpamReporting@aafes.com.

The IT team will compare the numbers between those who ignore the phish and those who don’t to see if Good Fish is in better health that Bad Phish, or vice versa.

Plus, associates can help Good Fish get and stay resilient by participating in quizzes Perry’s team will send out every Wednesday.

Sorry, there aren’t any prizes for the associate who catches the most phish.

Not all about fun, games

But phishing isn’t all about fun and games. The Exchange blocks about a half-million spam every day, with 25,000 of those being phishing expeditions.

Despite Exchange associates being savvier about cyber tomfoolery than employees in other industries, only one phish getting through can cause all kinds of problems with Exchange data and operations.

“Phishing is the leading cause of data breaches,” said Mickey Bradford, senior vice president of the IT Directorate. “When suspicious emails make it through our controls, associates are the last lines of defense.

“If bad guys get the LAN ID and password of an Exchange associate, they have a way into our system. From that point, several things could happen, the worst-case scenarios being like what happened with the major data breaches you hear about on the news.”

Warning signs of bad phish

Linda Bailey, another phishing expert on IT’s Intrusion and Detection Team, said for phishing expeditions in general, associates can look for a few tipoffs.

“There is a sense of urgency stated in the email, something about the email just seems odd, it provides either improbable good or bad news, and it asks you to ignore your company’s procedures on emails,” Bailey said. “Of course, associates should always be suspicious of links and unexpected attachments.”

For more information, check out the Department of Homeland Security’s cyber security toolkit.