Phishing simulation catches more than 7,000

7000phishing DS

A “phishing” attack hooked more than 7,000 members of the University community Monday — but it could have been worse.

The phishing email, disguised with a subject line leading recipients to believe their account had been suspended, led 26 percent of recipients to give up their BlazerID and password to an unknown web site — on just the first day.

But the email wasn’t a phish — it was a simulation sent by UAB IT to help educate the University community about the dangers of such attacks.

If the phish had been real, more than 7,000 people could have given their credentials to a scam artist — giving those scammers an opportunity to steal their account information, personal information, even banking information or paychecks.

UAB IT has been running phishing simulations for a year and a half, and creating emails that look as realistic as possible is key in educating campus.

“Unfortunately, phishing attacks are on the rise and they are evolving – becoming more sophisticated and targeted,” said Cindy Jones, director of risk management and compliance for UAB IT. “The basic premise is the perpetrator attempts to elicit fear, curiosity, and/or a sense of urgency out of the target, so that when the target is prompted to open an attachment or fill in their sensitive information, like a username, password, or credit card number, they are likely to comply. That is how they ‘play their game,’ so when we create a campaign we try to make it as realistic as possible.”

The practice of using the simulated phishing campaigns was vetted and supported by University leadership, and members of the Information Security Liaisons group and technology professionals at UAB are informed before a phishing simulation campaign launches so they can support and assist employees and students with questions and concerns.

“Last year, we were actually able to show a decrease in susceptibility of our user base through using the phishing simulations tool, but sadly that number is on the rise again,” Jones said. “Like many Universities and businesses today we are grappling with the best way to inform and educate our community about phishing and the dangers of phishing campaigns.”

According to the Verizon Data Breach Investigations Report, 30 percent of phishing messages get opened by targeted users and 12 percent of those users click on the malicious attachment or link. 

“Our primary goal is to educate the University community on what to look for so when they are the target of a real phish they can distinguish a phishing email from a legitimate email,” Jones said. “We have had too many users give away their credentials during a real phishing campaign and literally give away their paycheck because the bad guys use their harvested login credentials to change direct deposit information.”

UAB IT offers a number of resources on phishing awareness:

In addition, as part of the PhishMe simulations, if someone falls for the campaign, he or she is taken to a specialized security awareness page that dissects the phishing email and includes our training videos and useful tips. 

Last modified on March 21, 2018