The Brockport IT Security Office started sending out obvious phishing messages to random campus faculty and staff members in December 2021. The goal was to determine how susceptible we are as a campus to social engineering attacks through email. We also want to target extra training on phishing risks for the people who need it most. Here is what we have learned so far:
- 8% of people clicked on malicious links
- < 1% responded to obvious phishing messages
Of the people who clicked:
- 70% out of state
- 90% use Chrome
- 95% Updated Chrome more than 2 years ago
- 20% Updated Chrome 4 years ago
We included all the indicators we could such as:
- sense of urgency
- bogus from addresses
- misspellings
- strange uses of authority or position
- generic greetings
- generic signatures
- vague or inappropriate content
- references to unusual or non-brockport related technologies
Our 8% click rate means we have more outreach and training to do to combat these social engineering attacks.
I am not sure how being out of state ties in. Maybe it's about not being mentally in work mode and lowering our defenses against scammers. Or maybe people are working out of state on special projects and are more likely to get unusual emails as part of their job. An interesting finding to continue to study.
And finally, we saw that people who click are also using very out-of-date browsers. That is a very bad combination of risk factors. Old versions of Chrome are more easily exploited by the type of attacks that happen when we click bad links. Since 2008 there have been more than 2600 vulnerabilities discovered in the Chrome browser as measured by the National Vulnerability Database. It is very important that the browser itself is protected against known attacks by being up-to-date. It's doubly helpful in situations where a bad link is being clicked in a phishing email. Fortunately keeping browsers like Chrome up to date is very easy.
Update Google Chrome - Computer - Google Chrome Help
We will continue to study the campus response to phishing to develop the best tools, communications, and training to help the campus community successfully deal with this growing problem.