[BreachExchange] WIU UTech conducts internal review of phishing attacks

[Destry Winant]

http://www.mcdonoughvoice.com/news/20171117/wiu-utech-conducts-internal-review-of-phishing-attacks

University Technology Chair Robert Emmert reported on Tuesday at the
Student Government Association meeting that his department conducted
an internal review of security protocols to prevent recurring phishing
attacks.
Phishing is a common type of internet fraud where scammers send emails
that appear to be from a reputable company, enticing people to give up
personal information.
Collaborating with Mathew Mencel, Jeremy Merrit and Mike Rodgers,
Emmert said they came up with a program called “phishing ourselves,”
which he explained is “a way for us to do some training and create
awareness about phishing here on campus.“
Emmert relayed recommendations made by the FBI that there needs to be
“some kind of interactive training – you need to put things in front
of people and make them think about it. If they do fall for it, train
them during that process of what happens (during a phishing attack).“
The goals for the training and awareness phishing program were to
“gather real data as to the number of students, faculty and staff that
may be likely to fall for phishing attacks,” said Emmert. “We wanted
the data to show that people do fall for these things and that with
that (data), we could look for increased monetary support to do more
training.“
Outlining the program, which was presented a year ago to interim
Provost Kathleen Neumann, Emmert explained “the idea was to send three
e-mails, and we chose times that would not interfere with any of the
business practices going on here at the university.” He said they
chose March, April and May as “times where we can send out an e-mail,
get a response from people but not interfere with any of their
operations.“
He also said that each e-mail that was sent out became increasingly
sophisticated, and each click on an email was treated as a “training
opportunity” with a website that came up talking about phishing and
some of the tell-tale signs of a phishing attack inside an e-mail.
User names were not collected; only the number of unique clicks on a
message inside an e-mail were recorded.
“If we are going to do this, we wanted to use it as an educational
opportunity for everybody,” said Emmert.
Results of the first e-mail phishing attack are telling: Emmert said
3,002 students, 131 faculty and 273 staff clicked on the link inside
the e-mail.
In the second simulated attack, two separate e-mails – one for faculty
and one for students – were sent out. The results from the second
attack improved, said Emmert. “We went from 3,000 students to 1,000,
but once they saw the log-in page requesting username and password,
some 587 students went ahead and submitted some sort of data on
there,” he said. “For faculty, we had 203 clicks on the link and 54
submit some data. On the staff side, we had 277 clicks on the link and
about 75 submit data.“
The third and final email was similar to the first email attack with
one message sent to all students, faculty and staff. “1500 students
clicked on the link again. About 1000 students submitted data,” but,
Emmert continued, “faculty numbers really started to go down; 76
faculty clicked with 44 submitting data. Staff numbers went down, as
well; 197 clicked and 97 submitted data.”