In April, the University launched the Secure UD "Take a BITE out of phish!" campaign. This enhancement to Secure UD Training helps improve our community's awareness of phishing attacks and the danger they pose to personal information, devices, and accounts.
Members of the University community can help protect themselves, each other, and our institution by remembering "BITE":
- Be aware of the threat
- Identify the warning signs
- Tell us about suspicious messages
- Erase phish from your inbox.
How it works
Each month, as part of the "Take a BITE out of phish!" campaign, a randomly-selected sample of employees will be presented with a harmless test phish that mimics the real attacks being launched against the University community. The campaign is intended to raise awareness—not to deceive or trick. Employees will not be punished for falling for test phish. If an employee falls for a test phish, he or she will see a message about the "Take a BITE out of phish!" campaign and resources to help become more successful at recognizing future phishing attacks.
Employees are encouraged to be aware of the threat posed by phishing attacks and report suspicious messages immediately by forwarding them to firstname.lastname@example.org. Phishing emails sent to email@example.com, including test phish and real ones, are annotated and posted to the Secure UD Threat Alerts blog.
Our first test
In April, the University ran the first "Take a BITE out of phish!" test. In this baseline assessment, test emails were sent to all 7,119 employees enrolled in the campaign. Only 273 employees (3.83%) clicked on the suspicious link, and 161 employees reported the phish by forwarding it to firstname.lastname@example.org.
These results are a tremendous improvement over the University's two previous phishing tests. In June 2015, 25% of test phish recipients clicked on the suspicious link, and in February 2016, 18% of recipients did so.
April's phishing test shows that our community has made great progress in security awareness. Most organizations expect to see single-digit click rates only after several months to a year of testing. Although a perfect 0% click rate is impossible to achieve, continued testing, training, and awareness can help manage much of the risk to our community and our University. Cyberattacks continue to evolve, and a well-informed and vigilant community is our greatest defense against them.
Why it matters
The importance of increased and ongoing phishing awareness was recently highlighted by the massive and very real Google Drive phishing attack and the ransomware epidemic that crippled the United Kingdom's National Health Service.
During the first week of May, thousands of organizations and millions of accounts received phishing emails that imitated Google Docs invitations. Clicking the link and giving permission to the fake Google Drive app would compromise a victim's account and allow the attacker to then send the same phishing email to addresses in that account's contact list.
Last Friday, the news exploded as 40+ National Health Service trusts, the backbone of the UK's healthcare system, were shut down by ransomware. Dubbed "WannaCry," this strain of malware encrypts files on computers and network drives and demands payments ranging from $300-600+ for their return. WannaCry is also designed to spread across networks to attack as many vulnerable devices as possible. As the ransomware raced across the UK and into 150 other countries, patients were denied medical care and businesses crashed.
While incidents like these are highly visible in the news and are good examples of what can happen when cyberattacks are successful, these are far from rare occurrences. Hackers are always searching for and trying new ways to exploit people, organizations, and countries.
Even as our community becomes more aware and phishing test scores continue to improve, regular training and continued watchfulness are important to protecting ourselves, each other, and our University from cyberattacks.
How you can help
You can help protect our community against phishing and other cyberattacks simply by being aware of them. If you identify a suspicious email, forward it to email@example.com. You can also report other kinds of cyberattacks and security risks by emailing firstname.lastname@example.org.
May's phishing test is coming up soon! See if you can spot our test phish and forward it to email@example.com!
You can learn more about the dangers of phishing and how to keep yourself, our community, and our University safe by completing the "Social Engineering" and "Email, Phishing, and Messaging" modules of Secure UD Training. Phase I of Secure UD Training, which includes these and other modules, will be available until September. Approximately 1,000 employees have started or completed Phase I so far. Join your colleagues in helping Secure UD: complete your training today!
Unit heads who would like to arrange a phishing test for their unit, or who would like a report of Secure UD Training completion across their unit, may request one by contacting firstname.lastname@example.org.