State looking to go on phishing expedition

The State Department is looking for a service to launch simulated phishing attacks on its employees as a training tool.

In a new sources sought notice, State is looking for a “phishing as a service” solution that would send emails to up to 190,000 users through the department, including those posted overseas.

Phishing is the malicious practice of trying to acquire information such as usernames and passwords by posing as a trustworthy entity.

In the scenario laid out in the State Department RFI, the contractor would send emails to state.gov addresses with embedded links back to the contractor.

If you click through, you would be hit with immediate training including awareness of the mistake you made and information on proper procedures to follow in the future.

In essence, the State was to test its employees to see how likely they are to fall for a phishing attack.

The phishing as a service contractor will have its systems completely separate from the State Department, so there will be no co-mingling of data.

The contractor also will have to identify common threat vectors and other vulnerabilities in State systems.

Responses to the RFI are due March 7.