Phishing Ourselves
In September of 2021, the UTK Administration asked that OIT develop and carry out a phishing campaign. The phishing will continue until the clicks improve, and they ARE improving! A couple of Frequently Asked Questions (FAQs) about the phishing campaign:
- Why do we phish ourselves?
ANSWER: To condition our responses to phishing emails. Practice makes perfect. The OIT HelpDesk processes compromised accounts every week, working with individuals to reset their passwords and secure their accounts. The Desktop Support group “cleans” up after someone errantly clicks on a malicious link, removing viruses from desktops. Phishing is the single biggest IT Risk that we face as it leads to compromised credentials and exposure to malicious software (malware) such as ransomware. - Aren’t you wasting our time?
ANSWER: No. Granted, “most” faculty and staff respond to phishing emails by reporting them to abuse@utk.edu then just hitting the DELETE key; DONE! However, a number of employees still fall prey to the phish and take the bait. In fact, in November of 2021, 1122 of 5044 employees (22.3%) clicked on a phishing link or opened an attachment in a phishing email. That’s almost ONE in FOUR employees. Remember that it only takes ONE malicious link to a Zero-Day vulnerability to spread throughout a department. (The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it. A zero-day attack occurs when hackers exploit the flaw before developers have a chance to address it.)
OIT conducted a baseline phishing exercise in September 2021 used to compare all following campaigns. “Clickers” were shown a “404-Page Not Found” web page. Starting in October, “clickers” were presented with a web page that informed them that they were victims of a phishing campaign. The page also depicted the RED FLAGS or features of an email that they should critically examine before clicking on a link or opening an attachment.
The campus clicked less in December, to the tune of 870 clicks (18.8%). Here’s hoping that the downward trend continues. The benchmark for the Education industry (1000+ users) is 27.9%. The UTK baseline established in September was 20.3%.
If you do receive an email that contains the RED FLAGS we’ve all been trained on, report it to the OIT HelpDesk by forwarding it to abuse@utk.edu! It may be one of the phishing awareness campaign or it could be THE ONE.
If you’re reading this, the chances are good that you are NOT one of the “clickers.” However, not all of your colleagues have the opportunity to read about the campaign. Share the information!