Some of you may have noticed an increase in the number of phishing emails hitting your mailboxes. OIT received approximately 485 reports to firstname.lastname@example.org last week, which is higher than usual. One problem is that most of the reports come AFTER someone errantly clicked on the link. Fortunately for the clickers, these were phishing emails sent by UTK as part of a year-long phishing campaign.
UT Knoxville’s grade among the Phishing Prone? A solid “C-,” on a 10-point scale. Not terrible, but we can do better!
At the approval of the administration, OIT engaged the services of KnowBe4, one of the world’s leaders in security awareness training around phishing. Last week, emails were sent to ALL full-time, regular faculty and staff to establish a baseline score. “Clickers and Openers” would have seen a “404 – Page Not Found” error when they clicked on an embedded link or opened an attachment.
Twenty-five different phishing emails were sent randomly, so everyone did not receive the same email. Some had attachments that were opened by 16 employees. Some emails actually spoofed utk.edu addresses, (i.e., email@example.com, firstname.lastname@example.org). One thing to note is that these addresses were not provided to KnowBe4.
What? A dirty trick? Not at all! The campus’s intent was not to trifle with your feelings or embarrass you. It is meant to impress the importance of looking closer at the mail you receive, even when it “appears” to come from a trusted source. Like biological viruses, malware (think: ransomware) doesn’t care about your feelings, embarrassment, or cost that you incur by falling prey. The bad guys will claim their prey indiscriminately.
Over the next year, phishing emails will be sent out randomly each month. These will be unannounced. Instead of a “404 – Page Not Found,” those clicking will be presented with training on how to avoid being a victim. Oh…and they make the stats for that month. The program starts in the next few weeks in observation of Cyber Security Awareness Month, held every October.
Take the time to examine unsolicited emails. Actually, take the time to examine emails you normally expect, too. Look for the red flags such as WHO is sending it and WHERE is the URL taking you? The REAL phish will keep on coming, so be on your toes! Don’t be a statistic!
If you SEE something, SAY something – report it to email@example.com or, as you should for ANY IT incident, call the OIT HelpDesk at 865-974-9900.