Self-Phishing Parking Email
April 26, 2017
KU Information Technology conducted our third self-phishing exercise today to raise awareness of IT security on campus and the dangers of phishing emails. KU IT conducted similar self-phishing exercises in October 2016 and in January this year.
Today's phishing exercise was based on an actual phishing email. The self-phishing email told recipients they had a parking violation for "failure to follow signs," and told the recipient they could download the ticket and pay to avoid a court appearance.
KU IT sent an email in advance to KU faculty and staff announcing the self-phishing exercise this week. The purpose of self-phishing exercises is to raise awareness on campus and help KU faculty and staff to recognize suspicious emails.
University of Kansas faculty and staff have access to and work with confidential information pertaining to students, employees and research. Much of that information is covered by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPPA), and other federal and state laws. As an institution and as individuals, we have an important legal and moral obligation to vigorously protect that information.
While KU IT implements many tools and measures to secure KU systems, one of the most important safeguards is awareness and vigilance of our faculty and staff.
What is phishing?
Phishing messages attempt to trick you into divulging confidential information, such as passwords, account numbers, or other personal details. These messages may vary in tone and content, but they always have three defining features:
- A request for confidential information that the real organization would never ask for in an email. KU IT, for example, will never ask you for your password. Your bank will never ask you for your account number.
- A call to action. The email will ask you to respond to the sender, click a link, open an attachment, or even call a phone number.
- An attempt to create a sense of urgency. The email will try to scare you. For example, by saying if you don’t respond you’ll lose access to your account or be penalized in some way.
How do I report a message I think is suspicious?
If you receive a message to your KU email account that you believe is suspicious, forward it to firstname.lastname@example.org and delete it from your inbox. Never click links, open attachments, or respond to the sender in any way.
What is self-phishing?
The KU IT Security Office will send an email message that imitates the kinds of phishing messages frequently targeted at KU faculty and staff. This message will contain a link which, if clicked, will take the recipient to a replica Outlook Web Access page hosted on the KU network.
Why does KU IT do self-phishing?
The self-phishing exercises we conducted in October 2016 and January 2017 were effective. We learned that if phishing recipients click the link in the email, it is highly likely they will give up their credentials (i.e., user ID and password). According to IBM Security Intelligence, one in five recipients of a phishing message will fall for it and hand over sensitive information, such as usernames, passwords and account numbers. This is an area where KU wants to be well below average. Knowing what tricks our KU customers fall for will help us better target our security awareness training materials.
If you have not already done so, log into the KU Talent Development System and complete the required annual security awareness training. KU Departments can also schedule custom training by contacting the KU IT Security Office at email@example.com.