As part of a phishing awareness campaign an email was sent to campus in February that mimicked a phishing email. About 8% of us that opened this email were found susceptible to phishing. This is lower than the 16% from a similar campaign in December. February’s campaign differed from December in that it linked to a page that asked for credentials to be entered, instead of just linking directly to educational material.  Unfortunately about half of those that clicked on the link then provided credentials. Had this been an actual phishing attempt this would have allowed these accounts to be compromised and put the campus at risk.

Here is what the email looked like with some signs that it was not legitimate noted:

Clicking on the link in the email brought you to a login page. Here is what that page looked like with some signs that it was not legitimate noted:

Simulated Phishing Campaign Results

The simulated phishing campaign was broken into two groups: employees and students. If you are both an employee and a student you may have received two simulated phishing emails. Below you can see the results of this campaign.

Students

Employees

We are planning future phishing awareness campaigns, including more simulated phishing emails. We hope that improved awareness of the signs and dangers of phishing will reduce the number of compromised campus accounts and resources, and help protect campus data.

More information about phishing is available at http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml

More information about the PhishMe simulated phishing tool is available at http://www.csuchico.edu/isec/tools_resources/phishme.shtml

One of the most serious cyber-security risks facing the campus today comes from phishing email messages. Phishing is the use of email messages in an attempt by hackers and cybercriminals to steal personal information or hijack computing resources for nefarious purposes including fraud and identity theft. When employees and students are tricked into giving up their user name and password, the criminals may gain access to even the most secure system.

To help reduce the chance that this happens, CSU, Chico is about to begin a training program that is intended to help the campus community recognize and ignore email phishing messages.

Did you know:

• More than 3,000 CSU, Chico email accounts have been compromised in the last 6 months due to successful phishing attacks.
• 92% of all breaches start with a successful phishing email.

You may have received a few general phishing emails at home, but did you know the same technique is used by sophisticated criminals to compromise companies and organizations? Everyone with an email address is a potential target for phishing. The campus will continue to make improvements to security technology, but the best defense against these attacks isn’t just technology, its learning how to spot and report phishing.

During this awareness training program, you will receive emails that mimic the phishing emails that target our organization. The purpose of these emails is to give you hands-on experience in what a phishing email looks like. If you suspect an email is a phishing attack you should delete it. Do not click on links or open attachments in a suspicious email. If you do fall prey to one of the simulated phishing attacks, you’ll instantly see that it was just a training exercise, along with some education material about how to improve at identifying phishing.

This is an attempt to help protect student and employee privacy and confidentiality, not to trick you. The results of this campaign will be kept confidential.

Even though our education will be focused on phishing at work, the tips you learn will better protect you at home from having your identity and/or financial account information stolen via phishing.

If you want to get a head start in learning about the various types of phishing attacks, feel free to preview the Phishing Education available at http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml

If you have questions or concerns, please submit a request at support.csuchico.edu or contact IT Support Services.

530-898-HELP (4357)
MLIB 142
itss@csuchico.edu
www.csuchico.edu/itss
@chicoitss

The campus has recently been targeted by several social engineering attacks.  Social engineering attacks utilize phone calls and emails to manipulate people into performing actions they should not do, such as using a web browser to visit an infected web site, installing software for purposes of providing “computer support,” or divulging confidential information.

Some short optional videos are available on the CSU, Chico Development and Training System (DTS) which provide additional details about these types of attacks as well as other information security topics: https://www.csuchico.edu/isec/tools_resources/sans_securing_the_human_security_training.shtml

Security Awareness Modules for Staff (Recommended Courses)

Social Engineering                                             02:53 Many of today’s most common cyber-attacks are based on social engineering. As such, this module explains what social engineering is, how attackers fool people and what to look out for. We then demonstrate a common social engineering attack. We finish with how people can detect these attacks and how to respond to them.

Email & Messaging                                            04:52 One of the primary means of hacking people is through email. Email is used for both simple, large-scale attacks and more targeted spearphishing attacks. We explain how these attacks work, including recent examples of phishing, spearphishing, malicious attachments and other email-based attacks. We then explain how these types of attacks work for almost any type of messaging technology. We then explain how to detect and stop these attacks.

Mobile Device Security                                      03:40 Today’s mobile devices, including tablets and smartphones, are extremely powerful. However, they also come with a growing number of risks. In most cases, these devices have the same functionality, complexity and risks as a computer, but with the additional risk of being highly mobile and easy to lose. We cover how to use mobile devices safely and how to protect the data on them

Security Awareness Modules for Faculty (Recommended Courses)

Social Engineering                                             02:53 Many of today’s most common cyber-attacks are based on social engineering. As such, this module explains what social engineering is, how attackers fool people and what to look out for. We then demonstrate a common social engineering attack. We finish with how people can detect these attacks and how to respond to them.

Email & Messaging                                             04:52 One of the primary means of hacking people is through email. Email is used for both simple, large-scale attacks and more targeted spearphishing attacks. We explain how these attacks work, including recent examples of phishing, spearphishing, malicious attachments and other email-based attacks. We then explain how these types of attacks work for almost any type of messaging technology. We then explain how to detect and stop these attacks.

FERPA                                                                04:32 The Family Educational Rights and Privacy Act, also known as FERPA, is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education. This module explains the rules and regulations all school faculty, staff, contractors and student employees should follow when handling student information. This module is built on and requires people to watch the Data Security module first.

 

More security information is available on the CSU, Chico Information Security (ISEC) website: http://www.csuchico.edu/isec