Wayne State Information Security Office wants to test your scam email knowledge
National Cyber Security Awareness Month spurs year-long training initiative
As the Wayne State community continues to learn and work online, virtual security threats such as scam and phishing emails remain a concern for all large businesses, corporations, and organizations that own sensitive data, including educational institutions like Wayne State University. Computing and Information Technology (C&IT) places a high priority on the security of student, faculty, and staff data, and has focused its efforts on information security training for employees.
In mid-October, C&IT’s Information Security Office (ISO) distributed test scam email messages to select employees as part of its 2020 National Cyber Security Awareness Month (NCSAM) campaign. These tests were designed to measure phishing and scam risk perception and behavior at Wayne State in order to create security-awareness training that is tailored to the community’s specific needs.
“You will see a theme start to emerge, which is that we all have a piece to play in keeping the university secure,” said Wayne State Chief Information Security Officer and Senior Director of C&IT Information Security, Garrett McManaway. “This is the start of a journey to make information security as much a part of our culture as all the other great things we do together as a university.”
Below is a summary of these test email messages, including the clues that confirm them as scams; the phishing techniques used in these test messages are representative of actual messages seen by C&IT’s ISO.
The efforts don’t stop there — in the coming weeks, C&IT will invite employees to security awareness training from KnowBe4. Participants will include employees who work with sensitive data on a daily basis; this training is designed to help those Warriors recognize attacks that put the university at risk every day.
“October is always a great time for us to talk about security awareness, but this year is exciting as we have a new partner in KnowBe4 that allows for a more robust training program that we can leverage throughout the year,” said McManaway.
At the end of the training period, the C&IT ISO will conduct another test to measure the success of this initiative; the results and clues will be posted at that time. Over the course of the coming year, C&IT will continue efforts like this to ensure the entire Wayne State community remains Warrior Secure.
Going forward, remember the two Wayne State information security golden rules:
- When you receive a phishing email, either delete it or report it by forwarding it to firstname.lastname@example.org. You don’t have to forward the phishing message to anyone else.
- If you have shared your password or think that your account has been compromised in any other way, contact the C&IT Help Desk at 313-577-4357 immediately so C&IT may secure your account.
Email test 1: Your Zoom account is on hold. Sign-in today!
- Sender is not from zoom.us and uses a misspelled email address.
- The link is suspicious. As seen in the example above, hovering your mouse pointer over the Activate Account button shows that the link goes to phishing.guru, not to a zoom.us or a wayne.edu address.
- The message is flagged as [EXTERNAL]. This is not proof-positive that it is a phishing email. Zoom is a WSU partner and may send direct communications that the Wayne State email system will flag as [EXTERNAL]. However, this should be a reminder to pause before clicking links or opening attachments.
- 3% clicked the link
- 3% reported the email to email@example.com
- 94% either deleted or ignored the message. Deleting a phishing message is the best response, reporting it to firstname.lastname@example.org is second best response.
Email test 2: List of Rescheduled Meetings Due to COVID-19
The second test message used a more enticing subject. Phishing often relies on an emotional response, and changes to our meeting schedules impact us all.
- Although the sender was “spoofed,” it is from a valid WSU email which makes it harder to identify.
- Hovering over the Rescheduled Meetings link shows that it is redirecting to Google, not a wayne.edu or Microsoft link (see example below).
- 17% of recipients clicked the link
- 6% reported the email to email@example.com
- 77% either deleted or ignored the message
Email #3: Your file
The third test message alarmed many people, but it is the most common type of scam email that the ISO team addresses on a daily basis.
- Although the message claims to be from firstname.lastname@example.org, it has an [EXTERNAL] flag, and this combination is a red flag that something is not right.
- HR will never ask for an employee’s personal information to be sent directly via email. You should always provide this information through secure means, such as the employee self-service portals in Academica.
- Over 150 people replied to this scam email. The ISO team does not keep or store responses when we do these tests, so it’s possible that the replies might have been people questioning whether the email was legitimate. The best way to know whether a message is legitimate is to directly contact the person you believe sent the message through means other than just replying to the email.
- C&IT knows many people contacted HR and the Help Desk, but only about 6% of the messages were reported to email@example.com.
C&IT is Wayne State University's central IT organization, in the Division of Academic Affairs. Rob Thompson is interim Chief Information Officer (CIO) for Wayne State University and Associate Vice President for C&IT. For support Wayne State IT systems or services, please contact the C&IT Help Desk at 313-577-4357 or firstname.lastname@example.org. Find FAQs at tech.wayne.edu/kb and follow us on Twitter @WayneStateCIT for instant updates.