March phishing simulation forms 'baseline' for OIT


Office of Information Technology security officers recently collected data from a March phishing simulation, forming a “baseline” from which future numbers can be compared.

In Fall 2017, OIT introduced an initiative that would provide Central Michigan University with a heightened and stronger security system. Part of the security initiative is performing a range of phishing simulations. 

According to SANS Institute — an online organization committed to strengthening online security — phishing is a pinpoint attack against a subset of people with the goal of mining passwords or personal information like social security or credit card numbers. 

March’s simulation, which concluded at the end of the month, was the first in a series of simulations to come.

“We didn’t go into (the simulation) with any specific expectations,” said Kole Taylor, communications manager of OIT. “Overall, (OIT) is happy with the data collected, excited to move forward and work to continually bring numbers down.” 

PhishMe — the tool used in the simulation — sent 2,746 counterfeit phishing messages to all faculty and staff users at CMU. It tracked the participants who opened the message, how many times the link in the message was clicked and the number of people submitting their personal data on the spoofed page.  

Usernames were kept anonymous and passwords were not stored. However, upon submitting their credentials, susceptible participants were provided resources on how to avert a genuine threat.

According to a report organized by the security officers, 1,003 of the emails were opened and 234 of those participants submitted the desired credentials.

Of the total participants, 8.5 percent submitted their credentials. Of those who opened the email, 23.3 percent submitted their credentials.  

“The data collected is being used to give us an idea of our current state so future phishing simulations can be compared,” Taylor said. “We now have a baseline, so we know what kind of effort to put into training and education.” 

OIT is unsure when the next simulation will occur. Discussions will take place in Summer 2018, with the highest likelihood being the next simulation will happen in the fall. 

In the future, OIT anticipates simulations conducted with students. 

On the off chance that another simulation happens over the summer, it would solely be for CMU employees, Taylor said.

Phishing emails target a person’s direct deposit, tax forms (UW2), passwords and linked accounts. Access is gained through embedded links and the release of confidential information.  

According to OIT’s webpage, CMU students, faculty and staff can avoid phishing emails by noticing improper verb conjugation, spelling mistakes, generic terminology and performing a “skeptical hover,” — a technique that involves mousing-over a link to make sure it will send recipients to a webpage they are familiar with. 

Allowing a phisher access to a CMU email or account can cause a cascading effect, compromising several accounts at once, Taylor said. Because of this, users should be careful using a university email as a recover or primary email.

If ever skeptical, people should contact the CMU IT desk or report suspicious emails to spambusters@cmich.edu before responding or interacting with it, Taylor said. 

More information and phishing examples can be found online at it.cmich.edu/security.

Share: