Psych! Colleges teach phishing lesson by targeting their own

COLUMBUS, Ohio — Thousands of university students and employees targeted by email phishing schemes this year have taken the bait. Fortunately, they were duped not by real scammers, but by their own schools — in simulations meant to make them more adept at spotting real threats.

When Ohio State University did its first student-focused phishing in January — a strategy also used in the corporate world — over 18 per cent of the recipients clicked through. The University of Alabama at Birmingham’s employee-focused phishing awareness campaign snagged over 7,000 people in March, or about a quarter of the recipients.

Ohio State sophomore Ezequiel Herrera, who prides himself on quickly responding to messages, was caught off guard twice by the fake phishing emails. The first time, he said, he felt proud his school was taking that kind of educational action. The second time left him frustrated.

“I was sort of like, ‘Wow, I’m really, really bad,’” Herrera, 19, said with a smile. Since then, he said, he has become more cautious while scrolling through emails from unfamiliar senders.

The faux phishing messages mimic emails about financial aid, holidays, resetting passwords or other topics but contain signs of potential fraud, such as generic greetings, requests for urgent action or information, spelling errors, and senders from unfamiliar domain names. Recipients who click links in the emails are redirected to tips about good cybersecurity habits and how to spot and report real attempts at stealing passwords or other sensitive information.

“A phishing simulation helps people understand the role that they play in managing security — that it’s not up to their IT support or the help desk or whoever that they can sort of blindly walk along,” said Helen Patton, Ohio State’s chief information security officer. “A lot of what makes an organization secure is what happens between an individual and their keyboard or their phone.”

Patton talks about it like a digital vaccination, helping protect individuals and the broader campus community against cyberattacks that could cost far more than the phishing simulations.

Just last month, U.S. prosecutors accused a group of Iranians of hacking the computer systems of about 320 universities in the U.S. and abroad to steal billions of dollars’ worth of science and engineering research that was then used by the government or sold for profit. Prosecutors said spear-phishing emails were used to target over 100,000 professors, but they didn’t publicly identify those individuals or their schools.

Ohio State has used phishing simulations for employees since 2016. Officials won’t disclose exact results for security reasons but say responses have improved since the early rounds when, for example, a message about a second-floor printer was clicked by people in facilities that didn’t even have a second floor.

In a hurried, tech-reliant culture in which so many people exchange so much information at their fingertips on smartphones and other devices, Patton said, the battle is getting people to slow down.

The practical, experiential training of fake phishing has proved more effective compared than slideshows, webinars or other common types of training that can get stale, said Joanna Grama, who directs the cybersecurity program at the higher education technology association EDUCAUSE.

The risk, of course, is that folks will feel tricked, so it’s important that the training be educational, not punitive, Grama said.

At Alabama-Birmingham, one faculty member decried the phishing simulation as a waste of time, but most responses were positive, said Curt Carver, the university’s vice-president for information technology, who recalls first hearing about the concept of self-phishing over a decade ago.

Some people report the messages as suspicious, and others send replies like “Ha, you got me!” or “Didn’t get me this time!” A few, he said, expressed interest in making it more of a game, wanting to gauge how well they detect phishing attacks compared with others.

“They’ve realized … they can be a hero, they can be a person that helps protect everybody else,” Carver said.

Just Posted

Red Deer record store celebrates its last Record Store Day

The Soundhouse, a guitar and record shop in downtown Red Deer, closes its doors next Saturday

WATCH: On 4—20 Day in Red Deer, marijuana users say legal weed a long time coming

Not wanting to wait for the federal government to legalize recreational marijuana,… Continue reading

Former Central Alberta MLA appealing fine for not protecting a list of 20,000 electors

List included names and addresses of voters in Rimbey-Rocky Mountain House-Sundre

Proposed Alberta legislation would protect consumers

Alberta Utilities Commission would be given power to penalize natural gas and electricity providers

Red Deer beginning two major construction projects

Ross Street’s 1935-era water main to be replaced and 67th Street roundabout landscaped

WATCH: Central Alberta bouldering competition

Central Alberta climbers looked to prove they’re the best at a competition… Continue reading

WATCH: Red Deer RCMP and Emergency Services play for Humboldt

Red Deer police officers and firefighters laced up their skates to raise… Continue reading

WATCH: Flooding closes portion of Red Deer’s 43 Street

A portion of 43 Street in Red Deer was closed Saturday morning… Continue reading

After air accidents, survivors grapple with flying again

Hundreds of hands grappling with oxygen masks. Flight attendants warning passengers to… Continue reading

Queen Elizabeth to attend pop concert for 92nd birthday

LONDON — Queen Elizabeth is marking her 92nd birthday with a Saturday… Continue reading

‘Such a great person:’ Funeral being held for assistant coach with Broncos

STRASBOURG, Sask. — Mark Cross was a ferocious competitor when he played… Continue reading

UPDATE: Missing Innisfail woman located

A 54-year-old Innisfail woman, who had not been seen since Wednesday, has… Continue reading

Hellebuyck makes 30 saves, Jets beat Wild in Game 5 to advance to Round 2

WINNIPEG — Bryan Little’s teammates were happy they could deliver something special… Continue reading

Most Read

Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month