Ping: William Pelgrin

William Pelgrin

This article can also be found in the Premium Editorial Download: Information Security magazine: Captive to SOX compliance? A compliance guide for managers:


Phishing For Awareness
Below is the methodology of the mock phishing exercises conducted last year by New York's CSCIC.


  • Advisory partnerships formed with SANS and Anti-Phishing Working Group.
  • AT&T routed messages from an outside network.
  • Phase 1 launched to 10,000 state employees from the CSCIC naming convention (the only clue that it was a scam).
  • The message prompted users to link to a password checker; clicking in the form denoted failure.
  • A month later, Phase 2 launched, and users were led to a link where they were asked to enter personal information.
  • Surveys, tutorials and quizzes were offered depending on the user action taken.
Phase 1:
  • 17% followed the link to the password-checker site.
  • 15% tried to interact with the password checker.
  • 3% cut and pasted the URL into a browser.
Phase 2:
  • 14% followed the link.
  • 8% interacted with the form.
  • 5% cut and pasted the URL into a browser.
There was a 40 percent improvement from Phase 1 to Phase 2.


Spear-phishing scams won't find any targets among New York's state government agencies if William Pelgrin, director of New York's Office of Cyber Security and Critical Infrastructure Coordination, has anything to say about it. A pair of mock phishing exercises against state agencies ruffled a few feathers, but raised awareness.

Why the mock phishing exercises? Was there a problem? We were concerned about hackers who were moving from phishing to spear phishing, where the apparent sender is a real trusted source. This forced us to say "Let's get ahead of it before becomes a problem."

What did you do with those who failed? If it's about blame, we all lose. Those who failed the exercises viewed a tutorial and video on the perils of phishing and were quizzed. Names of those who failed were not forwarded to a commissioner.

This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We did start to change some of the culture; that's what this is all about.

Aren't you concerned that state employees will lose trust in legitimate e-mails coming from your office? We debated that at length. There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mails--even if it's from a trusted source--end the session, phone that person and talk to them about it, then go back and deal with the information they may or may not need.

Read the complete interview at

This was first published in March 2006

Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: