Military News - Military Times

Phishing scam turns out to be an inside job

An Army “phishing” test backfired the day before April Fool’s Day after an Army command was discovered phishing amongst its own.

The Army Family and Morale, Welfare and Recreation Command issued a press release at 4:12 p.m. Monday warning about a phishing e-mail scam.

The e-mail, which sported the Army’s official MWR logo, appeared to be an attempt to obtain personal information from soldiers by offering promises of free or discounted tickets to theme parks and attractions.

The press release said the Family and MWR Command was trying to find the owners of the Web site and the host of the domain.

Less than an hour later, the command issued another statement saying the phishers had been found — the Army’s own Network Enterprise Technology Command.

That command had notified MWR officials that it had been conducting a test of how soldiers respond to phishing scams — without letting anyone in the MWR command know about it.

Army MWR officials sent out a retraction 54 minutes after their phishing warning went out, saying they were “furious” that such a test had been conducted, using the MWR logo, without their knowledge or consent, and apologizing “for any inconvenience this might have caused.”

The phishing scam e-mail listed a Web link with an online registration form asking for a name, e-mail address, phone, city, state and ZIP code. The e-mail apparently went out across the service to soldiers’ Army e-mail accounts and to MWR professionals.

“I don’t think they were doing anything malicious,” said Laurie Pugh, spokeswoman for the Army Family and MWR Command. “They were just testing the system to protect our soldiers. We wish we had known in advance. But we know our system worked. We got the word out quickly.”

NET Command spokesman Eric Hortin was checking with officials to confirm whether the command was conducting a test and why.

Hortin said he had received a warning himself from installation officials about the phishing scam Monday, and had forwarded it to NET Command officials to make sure they were aware of it.

Pugh said the MWR command’s information technology officials found out about it Sunday afternoon when their webmaster began getting inquiries about whether the e-mail was legitimate. Technology officials then began trying to trace the source of the e-mail.

The Family and MWR Command previously has put out educational information warning soldiers and families about phishing scams, said spokesman Bill Bradner.

Phishing scams provide links for the unsuspecting clicker, leading to what look like legitimate Web sites for banks or other companies and luring people into entering personal information that then can be used to steal someone’s identity for a variety of fraudulent purposes, such as opening credit card accounts and running up large bills, ruining the victim’s credit record.

The Army Family and MWR command encourages soldiers and families to visit their official sites for more information on the real bargains available to authorized MWR patrons.

“For example, through Dec. 31, active-duty military are authorized free admission to one Anheuser-Busch theme park of their choice, including up to three accompanying family members,” said Dan Yount, chief of Army leisure travel services, in the announcement about the phishing scam. “But we’re not providing them by mail or advertising the tickets through an e-mail offer.”

Army MWR programs never ask for personal information through e-mail messages. Details about deals are listed on the two authorized Web sites, and sent through Army and civilian news outlets, not by e-mail.