'What have you done?' About 20 percent of UU staff falls for phishing e-mail
Last Monday, Tuesday and Wednesday 12,900 UU employees received an e-mail from the Salary Administration Office, saying that the university needed some personal data to make the payment. With payday around the corner, the timing couldn't have been more strategic.
About 20 percent of recipients clicked on the link, which led to a screen asking the user to log in to the university's Microsoft Account with your Solid-ID and password. About 10 percent of the recipients did that. "Oops, what have you done?" said the following screen, revealing that it was a fake e-mail from the ITS Management.
A good deed
A small team within ITS Management secretly set the project in motion for the campaign Switch on Security. "The operation was a secret even to me for a long time", says Adjunct Director Carol van der Palen. "I only learned what it would like a short while before it happened".
However, the idea couldn't be kept a secret from everyone. Some colleagues from the ICT Service DEsk, HR service desk, and financial administration had to be notified. But most of them were not aware of the drill at all and kept getting calls from worried employees. But other UUers appreciate the initiative, which they find positive, according to SecUUr programme manager John Strijker, citing a LinkedIn post in which UU staff members talk about it. "Some of them realised just how easy it is to click on a phishing e-mail".
UU has been stressing the importance of securing its network for years. Extra measures were taken following the attack on Maastricht University at the end of 2019. According to Van der Palen, those measures were needed. In February, research financier NWO, the University of Amsterdam and the Amsterdam University of Applied Sciences were also the target of cyber attacks. "For hackers, it only takes one lucky shot, while security professionals must make sure to keep all holes shut".
The university has recently implemented two-factor authentification (2FA) to lift up yet another barrier against hackers. "If somebody manages to obtain your password, then it's not so bad, as there's an extra step they need to take in order to be able to log in". But you still need to have a good password, warns Van der Palen. "It's like I always say: the greatest security risk is between the keyboard and the office chair. A lot of people use the same password on clothing webstore Zalando as they do at work. If your data at Zalando is revealed, so is your UU password".
It's relatively simple for hackers to connect different files to each other. "We are an open organisation, so a lot of our information is public, such as our e-mail addresses or the day when the university pays the salaries. The e-mail sent by our IT colleagues could very well come from a hacker".
It was visible that the e-mail supposedly sent by 'Salary Administration' did not come from the actual Salary Administration Office, for its domain wasn't @uu.nl but rather @universiteitutrecht.nl. Apart from that, the message resembled UU's style both in language and in design. According to Van der Palen, the fact that 20 percent of employees did click on the phishing e-mail is the project's main contribution. "Through this drill, we want to demonstrate how alert we should all be".
Several lessons can be learned from this exercise, Van der Palen and Strijker say. The first one is that people working at a university are humans like anybody else, so they are not necessarily more alert than the average person. Many have declared not to have noticed the different e-mail address. Therefore, UU must continue to raise awareness on this issue. The phishing e-mail is part of this campaign.
Another finding is that staff members are quick to warn each other about a suspicious e-mail. "That's a great reaction. Someone realises that the e-mail is fake and then immediately warns others. That's why we didn't tell anybody about the e-mail's exact date and content", explains Van der Palen.
About 900 staff members reported to the helpdesk or the Computer Emergency Response Team (CERT). "This kind of report has to be addressed to CERT, not to the helpdesk. If anything, this experience has taught us that our department still needs to become more well-known".