The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.The rumor quickly spread to pretty much all the major and minor movie sites which the local media investigated leading to a denial from Andersen:
This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.
"Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement.
"Leadership from Andersen AFB regrets that there has been any confusion in the general public regarding this exercise phishing attempt," Andersen said in a statement. "We hope however that this will show that all individuals need to be careful about the real danger of phishing emails and that others can learn from this exercise."This is very crafty test on the part of the Air Force. Just because it caused a little confusion from the civilian side doesn't mean they should not try this kind of test again. The most successful phishing attacks (and therefore worse for the victims) are the ones that hit people right in their sweet spot of interests or fears. Glad I am not one of the airmen at the base as I am sure many got an earful from their superiors.
There is a solid lesson here. Legitimate sources of email, be it for movie casting, security breaches. etc will never ask for money, your login credentials, social security and other personal information on the first contact. Once you are actually hired, some of that might need to be supplied for payroll purposes but not up front before the hiring occurs. When in doubt, assume it’s fake and if important, follow-up outside the email and the links it may supply. Another small bit of advice is do not assume links in emails are 100% correct. It never hurts to hover over them and check the status bar message at the bottom of your browser to make sure the address it is going to is familiar and legit. Thanks to NHLfan for the link.