This month, UCR’s Information Technology Solutions (ITS) is set to begin sending out a series of emails to UCR faculty, staff and students that will closely mimic a phishing attack. ITS hopes that the campus community will identify the false emails, forward them to abuse@ucr.edu and if they accidentally engage with the phishing simulations they will be presented with a “learning moment” containing tips and reminders on how to avoid them in the future. When the project ends in June 2020, ITS will issue a high-level campus “report card” on the campus’ ability to identify phishing scams. Any engagements with these phishing simulation emails will not be reported at the individual level, only on a large and anonymous scale.
In a blog post posted by ITS, they wrote, “Ongoing training on how to identify and avoid phishing scams is critical to cybersecurity at UCR.” In an attempt to raise awareness for the common tactics used in phishing emails, UCR ITS wrote that the things to look out for are: bad grammar or punctuation, strange fonts or paragraph spacing, slightly modified email addresses, forms that ask for sensitive information like usernames and passwords, links to strange websites and requests for money from what appears to be a “trusted” person.
In an interview with The Highlander, Alexandra Chrystal, the communications and training manager for ITS stated, “Keeping our campus safe from threats—both physical and cyber—is a top priority for UCR.” She mentioned that one of the divisions within ITS, the Information Security Office (ISO), is responsible for assessing UCR’s vulnerability to cyberattacks and mitigate threats by taking various security measures. She stated that with UCR being a prominent research university with thousands of students, faculty and staff, “our campus is a prime target for bad actors who wish to steal sensitive data.”
In the blog post, ITS stated that over 91% of cyber attacks start with a phishing email and a critical part of campus safety is doing all we can to keep our electronic data such as research, grades and personal information away from those who should not have it. Because email is a commonplace for personal and professional information, “malicious actors often utilize email in an attempt to steal personal or private information,” they wrote.
According to Chrystal, the phishing campaign is directly funded by the UC Office of the President (UCOP). “That’s in large part because the use of a phishing simulation campaign to assess a campus’ risk of cyberattack is not only common, it’s considered best practice among Information Security professionals,” wrote Chrystal.
UCR ITS would like to thank all participants in this phishing simulation campaign stating, “Together as a campus, we can ensure that our information remains safe and secure.”
