Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Ping: William Pelgrin

William Pelgrin

This article can also be found in the Premium Editorial Download: Information Security magazine: Captive to SOX compliance? A compliance guide for managers


Phishing For Awareness
Below is the methodology of the mock phishing exercises conducted last year by New York's CSCIC.


  • Advisory partnerships formed with SANS and Anti-Phishing Working Group.
  • AT&T routed messages from an outside network.
  • Phase 1 launched to 10,000 state employees from iso@cscic.org--not the CSCIC naming convention (the only clue that it was a scam).
  • The message prompted users to link to a password checker; clicking in the form denoted failure.
  • A month later, Phase 2 launched, and users were led to a link where they were asked to enter personal information.
  • Surveys, tutorials and quizzes were offered depending on the user action taken.
Phase 1:
  • 17% followed the link to the password-checker site.
  • 15% tried to interact with the password checker.
  • 3% cut and pasted the URL into a browser.
Phase 2:
  • 14% followed the link.
  • 8% interacted with the form.
  • 5% cut and pasted the URL into a browser.
There was a 40 percent improvement from Phase 1 to Phase 2.


Spear-phishing scams won't find any targets among New York's state government agencies if William Pelgrin, director of New York's Office of Cyber Security and Critical Infrastructure Coordination, has anything to say about it. A pair of mock phishing exercises against state agencies ruffled a few feathers, but raised awareness.

Why the mock phishing exercises? Was there a problem? We were concerned about hackers who were moving from phishing to spear phishing, where the apparent sender is a real trusted source. This forced us to say "Let's get ahead of it before becomes a problem."

What did you do with those who failed? If it's about blame, we all lose. Those who failed the exercises viewed a tutorial and video on the perils of phishing and were quizzed. Names of those who failed were not forwarded to a commissioner.

This is not the only event; it's part of our standard awareness program. We are asking agencies to deal with phishing in their annual awareness training as well. We did start to change some of the culture; that's what this is all about.

Aren't you concerned that state employees will lose trust in legitimate e-mails coming from your office? We debated that at length. There's no negative impact that they can't trust e-mail. It gave them time to pause and think that no matter who it is, they should not lower their security standards. There are ways to handle this securely. If you get one of these e-mails--even if it's from a trusted source--end the session, phone that person and talk to them about it, then go back and deal with the information they may or may not need.

Read the complete interview at searchsecurity.com/ismag.

This was last published in March 2006

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.