BreachExchange mailing list archives
WIU UTech conducts internal review of phishing attacks
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 17 Nov 2017 22:18:31 -0600
http://www.mcdonoughvoice.com/news/20171117/wiu-utech-conducts-internal-review-of-phishing-attacks University Technology Chair Robert Emmert reported on Tuesday at the Student Government Association meeting that his department conducted an internal review of security protocols to prevent recurring phishing attacks. Phishing is a common type of internet fraud where scammers send emails that appear to be from a reputable company, enticing people to give up personal information. Collaborating with Mathew Mencel, Jeremy Merrit and Mike Rodgers, Emmert said they came up with a program called “phishing ourselves,” which he explained is “a way for us to do some training and create awareness about phishing here on campus.“ Emmert relayed recommendations made by the FBI that there needs to be “some kind of interactive training – you need to put things in front of people and make them think about it. If they do fall for it, train them during that process of what happens (during a phishing attack).“ The goals for the training and awareness phishing program were to “gather real data as to the number of students, faculty and staff that may be likely to fall for phishing attacks,” said Emmert. “We wanted the data to show that people do fall for these things and that with that (data), we could look for increased monetary support to do more training.“ Outlining the program, which was presented a year ago to interim Provost Kathleen Neumann, Emmert explained “the idea was to send three e-mails, and we chose times that would not interfere with any of the business practices going on here at the university.” He said they chose March, April and May as “times where we can send out an e-mail, get a response from people but not interfere with any of their operations.“ He also said that each e-mail that was sent out became increasingly sophisticated, and each click on an email was treated as a “training opportunity” with a website that came up talking about phishing and some of the tell-tale signs of a phishing attack inside an e-mail. User names were not collected; only the number of unique clicks on a message inside an e-mail were recorded. “If we are going to do this, we wanted to use it as an educational opportunity for everybody,” said Emmert. Results of the first e-mail phishing attack are telling: Emmert said 3,002 students, 131 faculty and 273 staff clicked on the link inside the e-mail. In the second simulated attack, two separate e-mails – one for faculty and one for students – were sent out. The results from the second attack improved, said Emmert. “We went from 3,000 students to 1,000, but once they saw the log-in page requesting username and password, some 587 students went ahead and submitted some sort of data on there,” he said. “For faculty, we had 203 clicks on the link and 54 submit some data. On the staff side, we had 277 clicks on the link and about 75 submit data.“ The third and final email was similar to the first email attack with one message sent to all students, faculty and staff. “1500 students clicked on the link again. About 1000 students submitted data,” but, Emmert continued, “faculty numbers really started to go down; 76 faculty clicked with 44 submitting data. Staff numbers went down, as well; 197 clicked and 97 submitted data.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- WIU UTech conducts internal review of phishing attacks Destry Winant (Nov 20)