Timely Demonstration of Vulnerability of Employees to Phishing

In a post on April 30, 2015 ("Single Biggest IT Threat Remains Employees"), I made the case for real-time testing of the susceptibility of employees to malicious phishing emails. Two weeks later, the Canada Revenue Agency (CRA) provided a timely demonstration of this vulnerability by sending its 16,000 employees an email designed to simulate the potentially dangerous messages sent by phishers.  Some 3,500 employees, or 22% of the agency's workforce, fell for the scam and clicked on the phony link - even though they were informed ahead of time that a test would take place!  In 2014, the CRA was forced to delay the country's tax-filing deadline due to the infection of its network by the Heartbleed bug via a phishing email.