Phishing test results
University IT concludes winter phishing test, shares findings
10 a.m., Feb. 15, 2016--University of Delaware Information Technologies (IT) has concluded its winter 2016 phishing test.
June 6: UDid It! Picnic
2FA protects you
The test was designed to mimic spear phishing attacks that the University has recently observed. Spear phishing, a highly dangerous and increasingly common form of phishing, uses the names, logos, events and information of a legitimate company or group to trick victims into believing that the phishing emails are legitimate communications.
Spear phishers might, for example, use the logos and names of executives of a major bank or university to send targeted emails designed to fool employees of that bank or university.
The winter 2016 phishing test email used tricky, yet detectable tactics in an attempt to fool University staff into clicking. For example, the clickable link went to “udel.email” rather than “udel.edu.” Complete annotations of the test email are available at the Secure UD Threat Alerts blog.
All members of the University community are encouraged to familiarize themselves with the patterns and tactics used by phishers and learn to protect themselves, their information, the University and IT resources from harm.
If a staff member clicked on the test link, he or she was taken to a fake “UD Outlook Web App” web page that requested his or her UDelNet ID and password. If the staff member entered his or her credentials, he or she was then taken to a fake update page with a final clickable link.
Of the staff who received the test email, 18 percent clicked the link in the email, 12 percent submitted their UDelNet ID and password and 9 percent clicked the fake update link. These numbers represent a significant drop from the 2015 phishing test, in which 25 percent of recipients clicked the link in the test email.
IT will contact individuals whose response to this phishing test could have endangered personal or University information. Those employees will receive follow up information, including advice for recognizing and avoiding phishing attacks.
IT stresses that these advanced spear phishing tactics using stolen company information and logos to create malicious emails, links and web pages are becoming increasingly commonplace in the cyber world.
In real spear phishing attacks, those who respond by clicking links or submitting their credentials put their personal information, their UD account and other UD information and systems at risk.
Higher education institutions, banks, credit card companies, health care organizations and other businesses are constantly being hit by these attacks in an attempt to bypass organizations’ security measures and gain access to secured systems. These attacks use social engineering to target the human link in the business chain. It’s vital that all members of the campus community remain vigilant for these kinds of attacks.
Keep in mind the following tips for identifying and avoiding phishing scams.
- Check links in emails carefully. Never follow links that contain misspellings or that go to suspicious domains.
- Never download attachments that you weren’t expecting.
- Watch out for a sense of urgency or the threat of consequences; they’re used to rush you into acting without thinking.
- Make sure that the information in the email (sender, subject, content, signature, etc.) make sense together. Watch out for discrepancies and poor writing.
- Verify the content of the email only by contacting the alleged sender using a published phone number, verifying the message in person, or by confirming the information in a separate publication. Never reply directly to the email.
The University recognizes the need to create consistent and trustworthy standards for official communications. IT is partnering with the Office of Communications and Public Affairs to equip campus communicators with guidelines and practices for creating trustworthy and consistent emails. These forthcoming guidelines will provide campus communicators with a standard for safe email design and help to reduce possible confusion about what is or is not a legitimate University communication.