DHS phishing test
UD phishing test results highlight positives, room for improvement
2:26 p.m., June 8, 2015--University of Delaware IT has partnered with the U.S. Department of Homeland Security (DHS) to test the security of UD’s IT infrastructure and the awareness of its employees.
As part of the DHS tests, a simulated phishing attack was launched against UD accounts. Three test phishing emails were distributed at random to 7,300 full-time and part-time employees to gauge preparedness for phishing threats.
FYI Stories
June 6: UDid It! Picnic
2FA protects you
Phishing is the process by which hackers and scammers use misleading email messages to trick victims into surrendering information or downloading malware that could compromise the security of their accounts, devices or networks.
The DHS phishing simulation involved “spear phishing” messages, which use an organization’s real logos, names and events to specifically target that organization’s employees with more convincing scams.
Each of the three emails sent during the test contained references to UD departments, programs or systems:
1. The first email offered employee discounts and instructed potential victims to click a link to claim rewards.
2. The second claimed that UD network access was being reset for the fall 2016 semester and instructed potential victims to click a link and provide their UDelNet credentials.
3. The third advertised Google Apps account upgrades and instructed users to click a link to change their settings.
All of the phishing links redirected users to a UD web page for a “teachable moment” about the risks of phishing attacks.
The phishing messages used in this test have been annotated and posted to the Secure UD Threat Alerts blog so the UD community can see the warning signs that should have indicated that the messages were untrustworthy.
Additional phishing tests will be conducted to further evaluate and improve awareness and response capabilities.
Because the purpose of the test was to gauge the University’s ability to recognize and respond to unanticipated phishing threats, DHS and IT did not inform the campus community about the test beforehand.
Nonetheless, unit IT professionals reacted swiftly to the situation, distributing warnings to their clients about the perceived phishing attack and consulting central IT for further guidance.
DHS and the University did not track which individuals clicked links in the test phishing messages. However, aggregate data revealed that approximately 25 percent of those who received a test phishing email clicked a suspicious link.
Departmental and college IT professionals provided additional feedback about the test’s impact on their units. They reported that some colleagues were clicking the suspicious links, but that many reported receiving suspicious email.
UD IT, departmental and college IT professionals, UD Human Resources, and other units have engaged in a variety of information security initiatives over the past year:
- the Secure UD Threat Alert blog,
- Secure UD Training,
- UDaily announcements and
- training for departmental and college IT professionals.
In the future, IT will continue to collaborate with departmental and college IT professionals to increase employee awareness of phishing threats and how to identify suspicious or dangerous emails.
As part of these efforts to improve security across campus, IT urges units to take care when writing email communications to the campus community. IT is currently developing guidelines to assist units in crafting official email messages consistent with best practices and anti-phishing education.
And as always, community members are reminded to exercise caution while reading email. Always verify that links are legitimate before clicking, and report suspicious email messages to IT immediately.
Article by Alex Lindstrom
Graphic by Christopher Johnson, with some elements from Wikimedia Commons