Body
By Huseen Munye, IT Security Student Analyst
As a student information security analyst at Brockport, I had the opportunity to take on a hands-on role coordinating and running two phishing simulation campaigns aimed at our faculty and staff. The experience was both eye-opening and revealing, and it gave me a unique perspective on just how vulnerable even well-educated professionals can be to phishing attacks.
The goal of these simulations was simple: to test how likely people were to fall for common phishing tactics, like clicking on malicious links or submitting sensitive information. I created a variety of phishing emails, mostly simple, and sent them out to the university’s faculty and staff using KnowBe4, tracking who interacted with the emails and how.
As soon as the first batch of data from the campaigns started coming in, I was immediately surprised by how revealing it was. I saw in almost real-time how many people had clicked on the links in the phishing emails, and how many had submitted information. While the results were concerning, what truly shocked me was the number of professors who had fallen for the phishing attempts.
I think, like many people, I assumed that they would be much less likely to fall for these phishing emails. But as the campaigns continued, it became clear that anyone can be vulnerable to these threats. The realization made me reconsider the complexity of cybersecurity and different cyber threats.
Phishing works because it’s not just about technical tricks; it’s about exploiting human factors. The emails that were sent out were designed to resemble real phishing emails received. Seeing so many experienced faculty members clicking on these links was a reminder of how easy it is for anyone to make a mistake in the face of phishing attempts. The pressure to respond quickly, the urgency of the message, and even just the casual nature of some emails made it easy for people to act before taking a step back to question what they were doing.
Watching the data in real-time gave me a much clearer perspective on the effectiveness of phishing attacks. I had always known that phishing was a major cybersecurity risk, but seeing just how effective simple, well-executed campaigns can be really brought the threat into focus. It's one thing to read about phishing statistics and another to see them play out in real time.
As someone still learning and interested in the field of cybersecurity, this experience has been a reminder that awareness training is important for everyone. We often talk about securing systems with firewalls and antivirus software, but the human factor is just as important, if not even more important.