A British prankster managed to fool a senior White House official by posing as Jared Kushner and sending him an invitation via email.
The White House official apparently responded to the email and also shared his personal email address with the prankster.
The prankster wrote a pretty convincing email to Homeland Security Adviser Tom Bossert's White House email account, asking him to join a party towards the end of August.
"Tom, we are arranging a bit of a soirée towards the end of August. It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening," he wrote.
To his surprise, he received a reply from Bossert accepting the invitation. "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is (redacted)."
After he received Bossert's response, the prankster shared the emails with CNN. While the fact that a White House official can so easily be fooled is hilarious for some, it is also a sobering fact considering that this is the very technique that cyber criminals use to obtain sensitive information from government agencies.
What's even more concerning is the fact that Homeland Security Adviser Tom Bossert also looks after cyber security at the White House.
"We take all cyber related issues very seriously and are looking into these incidents further," said the White House after CNN presented it with the details.
"While these particular incidents were undertaken to be funny, the implications of how easily the individuals involved were entrapped should be clear. The difference between this prankster and a serious criminal is only in the disclosure of the results. A serious criminal wouldn’t have shared the outcome with the press. Email spearphishing is a big challenge for cybersecurity, and shouldn’t be taken lightly," says Tim Erlin, VP at Tripwire.
"A sophisticated criminal with a target in mind could use email as a channel to develop a more complete relationship and ultimately compromise much more sensitive information.
"With this incident in the press, the White House should take a close look at email security and training their staff to recognize spearphishing attempts," he adds.
In the UK, the National Cyber Security Centre has also flagged several attempts made by suspected hackers to obtain personal details of British Members of Parliament and has advised ministers and their staff to look out for such activities. Such phishing e-mails include asking MPs to disclose IDs and passwords of their personal accounts or to log in to fake websites.
"Attackers might send legitimate-looking password reset emails, urgent-sounding messages about financial problems, account change notifications requests, or links to documents that require you to log in with passwords," said the agency.
"The emails are very convincing and could arrive at an individual’s personal or work email account, perhaps even appearing to come from someone known to the recipient," it added. It also warned that phishing attacks are likely to continue and that MPs should desist from sharing their passwords with unknown recipients.