Cybersecurity in the UA system
Fake emails seeking to “phish” data out victims are nothing new, but a recent study by the University of Alaska found that about 13 percent of University of Alaska employees still fall for the bait.
In the experiment over 7000 UA employees of the were sent an email from the “HR Department” detailing policies concerning the upcoming election. The email asked for employees to click on a link and record their acknowledgment of the policies, however, when they clicked on the link they were directed to the PhishMe website about the dangers of phishing.
Phishing is a hacking tactic where the cybercriminal creates an email or website mimicking a legitimate company to trick users into giving up login details or other personal information. Spear-phishing is when the website or email is sent to specific people, for example, UA employees, and is tailored to trick them. Phishing emails often ask people to act quickly.
“Cybersecurity is a shared responsibility,” Karl Kowalski, chief information technology officer of the UA system, said. “Even all the best firewalls aren’t going to protect us from someone accidently giving up their username and password by clicking on an email.”
The University System used the PhishMe company to conduct the experiment.
“‘Hackers who do these phishing campaigns are getting quite sophisticated,” Kowalski said. “They look at your organization, they see what real people might work for your organization, they look for times of year.”
A popular type of phishing attempt focused on the season is emails claiming to be invoices or package trackers for people who may have purchased something for the holidays, according to Kowalski.
“[People click on the link] then by the time they’ve gone, ‘oh no this isn’t real,’ it’s too late and the damage is done,” Kowalski said.
The email and a follow-up email explaining the experiment from Kowalski were sent in October for National Cybersecurity Month.
“We learned that we need to do more education to our user community, it’s not about trying to get people in trouble it’s really about making the internet a safe place for everybody,” Kowalski said. “Part of that responsibility falls with us … Our motto is ‘When in doubt, throw it out.'”
The proportion of UA employees who fell for the fake phishing email is about 13 percent.
“I don’t think it’s an outrageous number — phishers are getting good at what they do,” Kowalski said.
UAF’s Cyber Security Club Arsh Chauhan felt similarly about the amount of employees.
“I think 12 percent is a good result,” Chauhan wrote in an email. “I think viewing what kind of employees clicked on them is a better metric. We should be worried about high access employees with access to private information being susceptible to phishers.”
In a compilation of phishing tests conducted in 2015, out of eight million results about 13 percent of people clicked on a phishing attachment. The median time that it took people to open the email was one minute and 40 seconds, and the to the first click on the attachment was three minutes and 45 seconds, according to the 2016 Data Breach Investigations Report created by Verizon.
“If you feel that you have clicked on an erroneous email, don’t be afraid to call the help desk,” Kowalski said. “We’re not here to punish people … we’re here to help you keep your information and the university’s information safe.”