Students Staff

January 19, 2018

Phishing simulation – what we did, why we did it, and the outcome

Filed under: Security — Sara Stock @ 2:28 pm

We’re all at risk from phishing scams, but there are things we can do to reduce the risk.

What we did

In December we used a respected cyber security company called Khipu Networks to create a simulated phishing campaign. Every member of staff, including student staff, received an email over the course of a day. The email pretended to be from the IT Helpdesk. Although we ensured that the phish looked realistic in terms of the fonts, logos, signature and language used there were some subtle clues to it being a phish. The email address it came from had a hyphen where a dot should be, and the web address, if you did a mouse over the link, was not one of ours (although it looked very much like it).

Anyone clicking on the link was taken to a web form and invited to enter their credentials. At this stage the biggest hint that this was a phish is that IT Helpdesk would never ask staff to share usernames and passwords in this way, and nor should any other bona fide organisation. Anyone submitting the form (whether or not they put in any credentials or their real credentials) then received a further email explaining that they had been phished and asking them to watch a short online video, with tips on how to avoid being phished, and take a quiz.

Why we did it

Phishing is the main way that malware, including ransomware, gets into an organisation. We’ve had recent phishing attacks that have led to ransomware and to individuals staff members having their email accounts compromised and people using those accounts to attempt to divert salary payments (in both cases processes have been changed to prevent future damage). Our main line of defence is the awareness of our users. We’ve run two awareness campaigns about the dangers of phishing this year and wanted to see how well they had worked and to assess whether we need more campaigns, more training or a combination of both.

What we didn’t do

We didn’t alert staff beforehand that this was happening in order to maximise the reach. That included IT Services staff, which is why the responses you received if you called were muddled in some instances. We bypassed our normal phishing procedure: we didn’t block emails, we didn’t allow mailscanner to flag mail (although it did in some instances), and we didn’t put out any service alerts.

What happened

We had unfortunate timing in that a real phishing and spam attack that came through a compromised Essex email account happened on the same day. This meant that there were some actual phishing emails in the system on the day, and, more importantly, that the follow-up email (received when anyone entered their Essex details into the fake website) came up to several hours after they hit submit, instead of within a few seconds.

The Helpdesk received a very high number of calls and emails. Various individuals used informal routes to alert colleagues, including email and email lists (Small-Ads). This was all useful as it means that there is a bit of a safety net in place that supports those who might not spot a phish for themselves.

What we learned

Although the number of people who were fooled by the phish was reasonably low – and certainly lower than the 32% reported elsewhere when other institutions have carried out this exercise – it was still substantially higher than the 1% we aspire to. It only takes one successful phish to cause serious problems. Although many people are aware of the fake phish, awareness of our most recent phishing campaign is still low.

We’ve also seen that the IT Helpdesk doesn’t the resources necessary to cope with such an influx of queries, and we’re looking into ways to ensure better support in future.

Looking at the number of calls to the Helpdesk against the numbers when a phishing attack is dealt with in the usual way (blocking emails, mail scanner, service alerts) we’ve been able to demonstrate that our usual countermeasures dramatically reduce the amount of phishing mails coming in and the numbers of people falling prey to phishing attacks.

What’s next

We’re looking at ways to provide better levels of support to the IT Helpdesk.

We will send simulated phishing emails to students over a period of three or four days, yet to be confirmed, in the new year.

We may run a further simulated phishing test for staff at some stage without warning.

What you can do
We will continue to be hit with real phishing attacks, so do please:

  • continue to be alert
  • make yourself aware of how to spot phish
  • report any phish you spot to
  • print out a phishing tips poster if there isn’t already one on a notice board near you..
  • remember: never respond to emails that ask for your username and password. The University will never email you to ask for your password.

Leave a Reply

The University of Essex will moderate comments and there will be a delay before any posts appear.