One in five campus email users fails phishing test; security training coming up

Toward the end of October 2018, the Information Security Office within Western Carolina University’s Division of Information Technology sent out a simulated phishing email to all the university’s faculty and staff with email accounts in an effort to access the campus community’s vulnerability to falling for fraudulent messages of that type.

It was the first test phishing email sent out at WCU. One out of every five WCU employees failed to respond to it properly, with about 20 percent of employees either clicking on the link in the email or entering their campus computer system credentials.

Also, almost half of the faculty and staff – 48 percent – opened the email instead of just looking at it through the reading pane, which is not as bad a cyber sin as clicking on a link or opening an attachment in a suspicious email, but still a bad idea, said Joel McKenzie, chief information security officer in IT. If there is good news associated with the WCU community’s results from the test email, it is that “we are a little better than the industry average for higher education,” McKenzie said.

With a subject line reading “Password Check Required Immediately,” the simulated phishing email included this message and several “red flags” for the cautious email user, including a link to a non-WCU site and an effort to create a sense of urgency, he said.

To All Employees, 

As part of ongoing efforts to maintain regulatory compliance we have updated our password policy and we need everyone to check their password immediately.

Please click here to do that:

Check Password (link)

Please do this right away.

Thanks!

That first test email was sent out to establish a baseline showing the campus community’s current vulnerability, McKenzie said. Coming up next is information security awareness training that is a requirement for all WCU employees with email accounts.

Announced in an email to campus from Interim Chancellor Alison Morrison-Shetlar in late February, the training includes a 25-minute security awareness module offered through the company KnowBe4. Employees are asked to complete the three assignments that address phishing and other security risks by Friday, April 5: “Security Awareness Fundamentals,” “Read Policy 52 – Responsible Use of Information Technology Resources” and “Review Data Handling Procedures.” A few days after Morrison-Shetlar’s email, an alert with information about the training was emailed to employees by KnowBe4.

More simulated phishing tests are planned by IT. “After the security training, we will hopefully have fewer failures in these tests,” McKenzie said. “The tests also will give on-the-spot feedback about what the person receiving the email should have looked for, if that person did mistakenly click on a link.”

In her email to campus, Morrison-Shetlar said cybercrime continues to increase as hackers improve their skills in coaxing computer users into clicking on fraudulent links, opening malicious email attachments or sharing work or personal credentials and identifiable information. “Data security is part of everyone’s job,” she wrote. “Becoming more knowledgeable through comprehensive security awareness training allows all of us to help defend both our university and our own personal identity against cybercrime.”

McKenzie said the number of phishing attacks directed at the WCU email system is constantly increasing, but since the summer of 2018, IT has installed a tool to prevent a vast majority of those emails from ever landing in inboxes. But, some of the phishing attempts still slip through that protective barrier, he said.

IT keeps track of the number of phishing “campaigns” that occur at WCU – those that involve many people receiving the same email message – and the number of tickets processed by the IT Help Desk that are phishing-related, McKenzie said. “In the spring of 2018, we saw more than 100 different campaigns, but since we implemented the anti-phishing tool, we have seen around 10,” he said. “And, the number of Help Desk tickets is about 5 percent of what it was in spring of 2018.”

The Information Security Office in IT has seen the tool block more than 3,800 phishing attempts and 350 attempts to deliver malware to campus users just in the last month, McKenzie said.

The common theme for phishing emails is that scammers on the other end are seeking sensitive information such as passwords, credit card numbers or Social Security numbers. “The variety and sophistication are amazing,” McKenzie said. “They disguise the email as being from a legitimate organization, even from WCU, and use social engineering techniques to lure you into taking the bait.”