WASHINGTON — An ominous email message landed in the inboxes of a small group of Army employees last month, warning of a security breach in their federal retirement plans and urging them to log in and check their accounts.
The email was a classic spear-phishing expedition looking for unwitting victims willing to share their personal financial information.
It took nearly three weeks to determine that the perpetrator was not a criminal hacker. It was an Army combat commander, acting on his own authority to test whether anyone on his staff would fall for the trick.
In the process of sussing out internal vulnerabilities, though, the commander sowed panic across the government: Employees forwarded the email to thousands of friends and colleagues at the Defense Department, the FBI and other agencies.
Even the Pentagon's Chief Information Office, which oversees computer networks across the military, was unaware that the email was an inside job.
The security-awareness test is the sort that has become increasingly common practice at companies. Some businesses dock managers' pay if their employees repeatedly fall for the pranks.
“Every agency should be doing it,” said Jacob Olcott, a former counsel for the Senate Commerce committee who works for a cyber risk management company.
The upside to the Army episode: No one clicked on the fake site, which was shut down last week. No personal or account information was compromised.
Federal employees unions, though, are furious that their members, who watched their investments plummet in the financial crisis, were put in such a position.
The incident has embarrassed Defense officials, who have pledged to set up “guidelines for the conduct of phishing exercises,” said Lt. Col. Damien Pickart, a Pentagon spokesman. He called the fake email a test of the effectiveness of cyber security training in the Army.
A Defense official, who spoke on the condition of anonymity to talk freely about the incident, called the test a “well-intentioned exercise” that should have been coordinated with the information security office and the savings plan, which should have had the option not to participate.
“This is people's nest eggs, their hard-earned savings,” the official said.
Future phishing tests will be approved by the Chief Information Office, the official said.
The call center still is hearing from confused account holders.
“Like Monty Python, it's not quite dead yet,” spokeswoman Kim Weaver said.
