Today's MessagePosted: Tuesday, April 3, 2018
Information Security Awareness: Buffalo State Phishing Test Results
Buffalo State conducted a phishing test during the week of February 12 in cooperation with SUNY Security Operations Center (SOC). A phishing e-mail was sent from SOC to 1,950 Buffalo State e-mail account holders. The test, which should have run for seven days, ran for only five because of a glitch in the SOC system; however, we have some partial results to report:
242 account holders opened the e-mail.
25 account holders clicked on the link in the e-mail.
12 account holders clicked on the link in the e-mail and entered their credentials and submitted the form.
189 account holders forwarded the phishing e-mail to email@example.com.
Explaining the Stats
242 account holders opened the e-mail. This is OK. Many of us use the preview pane in our e-mail client. This allows us to automatically read our e-mail, and the system counts the e-mail as opened. Opening and viewing phishing e-mail is not a problem (at this time).
25 account holders clicked on the link in the e-mail. The link took account holders to a form. This is not good. In fact, it might have been very bad. When you click on a link in a phishing e-mail, you run the risk of downloading malware. Malware comes in all kinds. Some malware is ransomware, locking your files forever. Some malware is a program that allows outsiders to gain access to your information and to the information you connect to on servers. This can allow criminals to steal private data and information from campus systems, licensed articles from our library holdings, and information about you and our students.
12 account holders input their credentials and submitted the form. This is extremely bad. Had this been a real phishing e-mail and not a test, your credentials would have been stolen, and that leads to information and identity theft. The good news is that of the 25 account holders who clicked on the link, 13 recognized that they should NEVER input their credentials into a form that comes from clicking on an e-mail link.
If you were one of the 25 who clicked on the link, or one of the 12 who input information into the form, you must pay better attention to the e-mail you receive and what it asks you to do. Some telltale signs:
If you had hovered your mouse cursor over the link in the e-mail, you would have seen this: http://ifyouclickonthisyouwillgethacked.com
The e-mail came from “buffalotstat.edu.” Notice the e is missing from Buffalo State.
Read carefully! Be aware. Be vigilant. Protect us by protecting yourself.
Wednesday, April 4, 2018