The University of Alaska has launched a Phishing Awareness Program to reduce the number of faculty, staff and student employees who fall for email scams. Nathan Zierfuss-Hubbard, chief information security officer, at the Office of Information Technology is running the program. He defines phishing as “a targeted attack to trick somebody into giving up a credential or information of value that they don’t have any need or right to.”
Zierfuss-Hubbard said the University of Alaska has been facing an increase in phishing attacks, and the Phishing Awareness Program seeks to teach faculty and staff how to detect scam emails by crafting what looks like a phishing email, but instead of destructive links and attachments, the links will take faculty to a informational video on phishing. The program is currently underway, and Zierfuss-Hubbard said employees will be sent fake phishing emails every three months. Emails are being sent to @alaska.edu addresses.
“The events that led up to the creation of this program had been an increase amount of targeted phishing at employees and faculty and an increased number falling for that,” Zierfuss-Hubbard said. “Phishing campaigns, we typically get two or three big ones a year. They usually start in September as faculty are coming back and then the last one that we got caught up in was in December during the break.”
In the 24 hours after the first UAA crafted phishing email was sent, 248 out of 5,483 email recipients clicked on the link, which then sent them to a 30 second training video. Out of those who clicked on the link, 143 recipients spent less than 30 seconds on the website. Three days after the email was sent 4.8 percent of all recipients who opened the email also clicked the link. Reports from Zierfuss-Hubbard after the first three days state that, of those who clicked on the scam link, 57 percent did not complete watching the training video.
Falling for a phishing attack as a University employee has some problematic consequences, according to Zierfuss-Hubbard.
“The immediate impact, for employees, is they’ve immediately lost control of their University resource accounts: the accounts that get them into Banner, the accounts that get them into email,” Zierfuss-Hubbard said.”They’ve given away their username and password to somebody they don’t know. Now that individual has all the access they’ve been granted. This isn’t necessarily problematic when an employee doesn’t have a lot of access, but for certain employees that do have a lot of access, their credential is worth a lot.
In the fake phishing email, Zierfuss-Hubbard said there were several red flags. Some of these warning signs include the fact that the email uses fear or pressure to motivate a recipient to act, the link is obscured in the email and the email is signed “System Administrator Center” which Zierfuss-Hubbard said is not jargon used by the University of Alaska.
Max McGrath, IT security analyst at UAA, said that there will always be a small percentage of email recipients who click on phishing scam links, but that scams typically target financial centers.
“We get phishing emails all the time. Often they are quite targeted, particularly towards areas where potential financial transactions can take place so Accounting Services, any place that has the ability to basically move money,” McGrath said.
If you see a suspicious email, Zierfuss-Hubbard said to report the incident to a University of Alaska IT center so they can reduce the potential impacts of such scams. McGrath said one of the struggles UAA has with security is working to keep emails secure when designated email addresses are public information.
“Trying to say, ‘yes, we are going to secure all of these,’ while at the same time providing an open academic environment, that is I think the biggest challenge,” McGrath said. “So we have to look at ways that we can provide services that allow for a good amount of openness, but that are also able to stop bad behaviors, right. So whether that is a phishing attack, a malware attack, a ransomware attack, that kind of thing.”
Mercy Rains is a student assistant for Student Clubs and Greek Life, and as a student employee, she received the phishing scam email.
“They sent out one recently with a yellow progress bar saying your email is at max capacity, you need to click on this link to expand it, and I’m like that doesn’t even look legitimate,” Raines said. “Then I saw the email they sent out later saying we were just testing you. I’m thinking this doesn’t sound like the best idea to test people’s email systems because, I don’t know why, it just made me feel like next time they see an email like that they’re going to think UAA is sending them another test email, and maybe not perceive it for the real danger it may be.”
Zierfuss-Hubbard said he is going to keep statistics to see whether there is a decrease in people clicking on links over the tenure of the program.