IT’s faux ‘phishing’ emails aim to snare, and then educate, campus

The email from ADP looked legitimate. It was a warning sent to Baldwin Wallace faculty that there has been a data breach and the user needs to change their password within the next seven days. This also happened to coincide with tax season and payday only heightening the urgency. Over 100 people clicked on the message and 28 of those 100 staff members entered their university username and password. Just like that, a scammer had access to 28 university staff accounts.
Phishing is a scam where a scammer claims to be a credible source and asks for anything from personal information, company resources and money. Phishing attacks account for about 91% of all company data breaches.
Similar to any other institution, Baldwin Wallace is susceptible to these types of attacks and are currently working on ways to cut down on the number of users giving out information. Chief Information Security Officer, Tom Mathis, says he knows how easy it is for people to steal information this way.
“The weakest link in any security program is the end user,” Mathis said. “If you’re trying to hack into some organization, you can do the very sophisticated attacks on web servers and firewalls, all of the geeky techy stuff… Or you could just send them an email.”
Luckily for those who clicked on the phishing email, their information is still in safe hands. The Department of Information Technology was responsible for the distribution of the email.
At this time, every faculty member has to complete cybersecurity training, and Chief Information Officer Greg Flanik said that some of the people who gave their information were people who completed the training. Those who responded to the email and gave up their usernames and passwords were spared this time, but the department of information technology is going to send more phishing emails.
“First offense, we ask you to be careful next time you see something like this,” Flanik said, “and if they do it again, then we would force them through a second training program.”
While 28 people did respond to the email, 50 users did report the email as spam, which is an improvement from before the training. Flanik says that he hopes that when an actual phishing email comes, faculty will be prepared or assume it is from information technology and ignore it. Staff members are not the only ones being targeted by scammers.
While Flanik said that he hopes to also have students do the same training in the future, Mathis says that that will likely be too expensive for Baldwin Wallace. Flanik does hope, however, that first-year students would be able to take this program.
“For first-year students, this is their first time on an enterprise network.” Flanik said, “And while they may get phishing messages over Yahoo or Gmail, they will be more prevalent in this environment.”
While students may not have to take cybersecurity training yet, information technology has been working on other precautions to avoid this issue in the future. The new email address given to students has a spam filtering service. According to Mathis, the filtering service is not 100% effective, but it does a “pretty good job” at blocking spam.
“Microsoft has the ability to throw a lot of capability in terms of securing email services from being attacked,” said Mathis. “You’ll find the largest corporations in the world are all going to Office 365. Microsoft is doing a very good job at securing that email.”
Despite the capabilities that Office 365 provides to Baldwin Wallace, phishing is still a constant threat and the easiest way for a scammer to get control of valuable information. Mathis said that there is “frequent failure between the keyboard and the chair,” while Flanik likened phishing to having a $10,000 biometric lock but forgetting to lock the door.
Mathis says that students and faculty need to be wary of emails that contain spelling and grammar mistakes, have an offer that is too good to be true, or urgently asks for private/corporate information.