Psych! Colleges teach phishing lesson by targeting their own
Thousands of university students and employees targeted by email phishing schemes this year have taken the bait. Fortunately, they were duped not by real scammers, but by their own schools - in simulations meant to make them more adept at spotting real threats.
When Ohio State University did its first student-focused phishing in January — a strategy also used in the corporate world — over 18 per cent of the recipients clicked through. The University of Alabama at Birmingham’s employee-focused phishing awareness campaign snagged over 7,000 people in March, or about a quarter of the recipients.
Ohio State sophomore Ezequiel Herrera, who prides himself on quickly responding to messages, was caught off guard twice by the fake phishing emails. The first time, he said, he felt proud his school was taking that kind of educational action. The second time left him frustrated.
“I was sort of like, ‘Wow, I’m really, really bad,”’ Herrera, 19, said with a smile. Since then, he said, he has become more cautious while scrolling through emails from unfamiliar senders.
The faux phishing messages mimic emails about financial aid, holidays, resetting passwords or other topics but contain signs of potential fraud, such as generic greetings, requests for urgent action or information, spelling errors, and senders from unfamiliar domain names. Recipients who click links in the emails are redirected to tips about good cybersecurity habits and how to spot and report real attempts at stealing passwords or other sensitive information.
“A phishing simulation helps people understand the role that they play in managing security - that it’s not up to their IT support or the help desk or whoever that they can sort of blindly walk along,” said Helen Patton, Ohio State’s chief information security officer. “A lot of what makes an organization secure is what happens between an individual and their keyboard or their phone.”
Patton talks about it like a digital vaccination, helping protect individuals and the broader campus community against cyberattacks that could cost far more than the phishing simulations.
Just last month, U.S. prosecutors accused a group of Iranians of hacking the computer systems of about 320 universities in the U.S. and abroad to steal billions of dollars’ worth of science and engineering research that was then used by the government or sold for profit. Prosecutors said spear-phishing emails were used to target over 100,000 professors, but they didn’t publicly identify those individuals or their schools.