Last May, the university sent its own employees a fake phishing e-mail. One in five targeted employees actually clicked on a rogue link, and just under half of these people even downloaded and started up an application.
It has been confirmed that one of the phishing e-mails received by the university’s employees last year was sent by the university’s own Central Information Office (CIO). A phishing e-mail is basically a type of virus. The e-mail appears to be from a reliable source, but is secretly from someone with bad intentions, who will do things such as installing a virus or stealing information from the addressee’s computer.
The university sent the e-mail to some two thousand employees last May to check how many employees would fall for the phishing attempt. The answer was: more than they hoped for. Dado Grozdic, EUR’s Chief Information Security Officer, told us how and why the CIO conducted the experiment.
Why did the university perform a phishing test on its own people?
“Phishing attacks are among the most common cyber threats for organisations. Some 75 per cent of organisations worldwide have fallen victim at some point, and in 95 per cent of those cases, those attacks were successful. A few attacks have been made on Erasmus University, as well.”
Can you give us an example of a successful phishing attack on EUR?
“For security reasons, we never make statements about specific attacks, or the extent to which they were successful.”
Why are universities interesting targets for these types of attacks?
“Universities hold interesting information. First and foremost, the personal data of thousands of students and their lecturers, and secondly, valuable scientific information.”
In March 2018, there were some rumours that Iranian hackers were attacking Dutch universities through phishing. Did Erasmus University fall victim to such an attack?
“I can not go into that, again, because of security reasons.”
The phishing experiment was conducted in association with a cyber security company called Fox-IT. Approximately two thousand randomly selected employees working on campus received the e-mail on 22 May. It contained a request to complete a survey for an employee satisfaction study. Fox-IT had registered the survey-eur.nl domain (no longer available) for this purpose and sent the e-mail from that domain, so that inattentive readers might have believed it was sent by the university.
Seventy-one per cent of the 1929 employees who received the e-mail did not open the e-mail. Nine per cent sent an out-of-office reply, and one in five employees actually clicked the rogue link in the e-mail. Slightly less than half of the latter group downloaded and opened the application, as requested. In the end, 9 per cent of the target group were ‘infected’, according to Fox-IT’s official report.
How was Fox-IT able to get past your spam filter that easily?
“We made things a little easier for Fox-IT. Normally, our e-mail security systems would probably have stopped such e-mails, but this time, they didn’t. We also helped them copy our corporate identity. However, there are several ‘triggers’ in the e-mail which should have warned our employees that this was a phishing e-mail: the domain name was wrong, and an unknown file (an HTML application) had to be downloaded. Those who did so were warned that the file in question might be dangerous.”
Why did you choose this particular scenario?
“People are prone to clicking on such surveys. They do not look like a threat in any way, and the questions asked aren’t too hard. The HTML application was actually a warning. It’s something you won’t often come across, so it was a good test of how users will deal with that sort of thing.”
How do you feel about 9 per cent of our employees falling for the trick completely, and 20 per cent falling for it in part?
“Global phishing studies have shown that about 30 per cent of people will open such e-mails, and that 12 per cent will open the malicious file. So our 9 per cent wasn’t too bad. It’s still too much, though. We will have to do better. We seek to reduce the number of infections by 95 per cent.”
How is the university going about that?
“For starters, even fewer e-mails get past our e-mail security systems now. We wish to raise our employees’ alertness by teaching training courses this year. For instance, we will demonstrate how phishing attacks are performed, by showing on screen what both the victim and the perpetrator are experiencing during such an attack, and how easy it is to fall prey to people with bad intentions.
“We are also establishing a campaign designed to create e-mails without links. And obviously, we wish to set the right example, so all of CIO’s newsletters are link-free. That is a significant problem at present – the fact that people have been conditioned to click on every link. We must stop them from doing so. We must look up more information ourselves, go to the sender’s site instead.”
Did you ever tell the ‘victims’ that they had been tricked?
“We notified all the information managers (IT liaisons at the various faculties – ES), who then passed on the news within their faculties. They were supposed to do so in May or June. Needless to say, the victims’ computers were not really infected.”
The next time the employees receive a phishing e-mail, should they be wondering whether this one was sent by you, as well?
“We have no intention of carrying out another experiment like that any time soon. That would be useless. In 2019 we wish to focus on training our employees. Perhaps we’ll repeat the experiment at some point after that to see if the results have improved.”