What's the cost of a click?
Kent State is teaching that exact lesson to the campus community by sending internal phishing emails to see how recipients respond.
Odds are you've received one. If not from Kent State, then from other bad actors. Think back. Have you ever gotten an email or received a text that looked a little off? Maybe a few words are misspelled, the grammar is incorrect, even if it appears to be from someone you know.
Chances are it could be a phishing email.
University Community Tested
Kent State University’s Division of Information Technology reports that roughly 500 million phishing emails are sent per day, and they are effective. Every 60 seconds, 250 computers are hacked. These breaches cost companies $388 billion a year in stolen business secrets and intellectual property.
The division is working to increase the visibility of phishing scams as part of its cybersecurity operations.
“Phishing is a type of social engineering-based hacking,” James Raber, associate chief information officer from the Division of Information Technology, told Kent State Today. “It typically comes in the form of an email that tries to convince somebody to complete an action, like giving away credentials or data through fraudulent means.”
The division’s campaign aims to educate and inform the Kent State community about the ramifications of falling victim to phishing scams.
Human Error Is a Major Factor
According to Raber, the campaign started after the metrics of a Verizon annual report were released. The report showed that 74% of all data breaches are grounded in human error.
The overwhelming number of people clicking on phishing emails showed a clear need for education, so the division implemented resources targeting phishing.
Phishing Emails are Real
Often a highly regarded official’s name will be used as the fake contact of the email such as Kent State’s President Todd Diacon or the IT Help Desk. Typical tactics of phishing include asking for personal phone numbers and passwords. Whenever a trusted or important person messages us, we may forgo usual skepticism and send personal information without a second thought. No one, not even the university IT staff, will ask for your password.
Though the division originally started using phishing test emails during last year's Cybersecurity Awareness Month, they’ve now become recurring.
Phishing emails that looked almost official were sent to Kent State members inviting them to click a link. If they clicked it, they were offered a training module regarding security against phishing.
“We want to make sure that no matter where somebody is in their relationship with the university, whether they're a seasoned veteran or brand new to the university,” Raber said, “that they're able to identify fraudulent messages and take appropriate action with those sorts of things.”
Taking Phishing Seriously
Flagging suspicious emails helps the division reduce the risk to the Kent State community. And that’s what they want all of us to do. Users can flag these emails by forwarding them to phish@kent.edu, so the division can take action and remove any emails from the system before other people even see them, if possible.
The threat is real, and the implications are bigger than some Kent State community members may realize.
Phishing is an important scam to identify because of the information associated with students' FlashLine credentials. With access to that sensitive information, loans can be taken out in a student’s name. For all employees, direct deposits can be tampered with. It’s more than just your email that is in danger.
Raber said the division has measured its campaign so far to see where there’s room for improvement. A low click rate might mean that the Kent State community is able to identify scams but might show they often aren’t taking the next step to report the email. On the other hand, a high click rate might mean that the community needs to be trained on how to identify a phishing scam. The goal is to get high reporting rates with no clicks on any links or by replying with sensitive information.
Looking Ahead
As phishing was the target for Cybersecurity Awareness Month last October, this fall there will be new themes to focus on, such as password hygiene and managing one’s digital identity. Stay tuned for more about those themes coming soon.
So, the next time you get an email that asks for personal credentials or wants you to verify your account, stop, think and forward it to phish@kent.edu first. The division will let you know if something is safe.
Learn more about cybersecurity from the Division of Information Technology.