SMU OIT prevents email hacks with “self-phishing” campaign

Screen Shot 2015-12-09 at 7.48.04 AM.png
Hackers often use phishing techniques to infiltrate and compromise an SMU email user's account. Photo credit: SMU

Imagine President R. Gerald Turner sitting down one morning three years ago to read through his emails. He sees an email sent from SMU that says his account will expire unless he clicks the link to restore access. Of course he doesn’t want his account to expire, he’s the president of the university.

He clicked the link and fell for SMU’s first self-phishing campaign.

SMU has been conducting “self-phishing campaigns” since 2012 in hopes that they will educate SMU email users against the dangers of criminals trying to obtain sensitive information through a seemingly innocent and normal email. This type of cyber attack is called phishing.

Hackers can be anyone from anywhere in the world, and their motivations are variable. Some hackers have financial motivations and want to sell credit card information on the black market or lock computers until they are paid a ransom. “Hactivists” want to make a statement as a form of protest. Others simply want to cause mayhem, such as dropping all of your classes on my.SMU.

SMU’s Office of Information Technology (OIT) security team wrapped up the latest self-phishing campaign the week before Thanksgiving. They sent fake emails to 2,500 students and faculty to see if they would fall for the bait and click on the link.

Although only 2.5 percent of students and faculty clicked the fake link in the most recent self-phishing test, there is a growing cyber and phishing threat at SMU.

SMU’s Chief Security Officer George Finney estimates that in the past around 100 SMU accounts have been compromised every year, but students and faculty are getting smarter about phishing attacks.

“We were expecting to have around a 5 percent click-through rate this most recent time with our self-phishing. We were shocked that only 2.5 percent of respondents clicked the link – we almost thought that something was wrong with the system,” said Finney.

Screen Shot 2015-12-08 at 6.01.31 PM.png
The click-through rate on the self-phishing tests has decreased over the past three years. Photo credit: Madeline Frizell

Over the last two years there has been a 44 percent increase in monthly phishing attacks. Earlier this year, the OIT security team identified three separate attacks that targeted 180 victims and successfully compromised 17 SMU email accounts.

The SMU OIT security team believes that the best way to prevent these attacks is to educate the SMU population through self-phishing tests.

The security team sends emails from their office to students and faculty disguised to look like various third parties to test how vulnerable different parts of campus are to phishing attacks.

When choosing these emails, the security team selects from a variety of templates of common hacking strategies. The templates can be altered and shown as sent from SMU or any given email address.

If a person clicks on the link in the fake email and “takes the bait” they will be told what happened and redirected to a brief online training about what to watch out for in the future.

SMU senior Mike Vineis worked at a hedge fund IT security company over the summer, where he consulted hedge funds on IT and cyber threats.

“Anytime someone receives an email unexpectedly, they must use caution clicking any links within emails. A lot of this is just using common sense,” said Vineis.

The difficult thing about cyber crime is that it is almost impossible to detect the criminals behind the attacks. They often leave no trace and are able to steal sensitive information with ease.

Dr. Frederick Chang is an expert in cyber security. He is the Lyle Endowed Centennial Distinguished Chair in Cyber Security, the Director of the Darwin Deason Institute for Cyber Security and a professor in the computer science department at SMU.

Chang sat in a glass conference room in his office talking passionately about cyber security and how students can protect themselves against hackers.

“To protect yourself against hackers always use hard passwords. There is a trade-off between memorability and security, but it’s always best to use a mix of upper and lower case letters, digits and special characters in a long password,” said Chang.

Chang also suggests being cautious when clicking on emails and websites and to do a software update as soon as there is a notification. This is because new updates are often done to solve security loopholes and vulnerabilities. This means that every time you click “remind me later” on a software update, you become more vulnerable to hackers.

As software and computer defenders get better at preventing hacks, the attackers adapt. Chang says that today’s hackers are very progressive and are more dangerous than they have ever been.

Senior Kasmira Della Schiava is from Italy and pirated some movies and TV shows since she did not have access to them when living in Europe. Pirating, or illegally downloading, is one of the easiest ways for a hacker to implant malware onto a computer.

“My freshman year I got an email from IT saying they knew I had pirated videos and that I can’t do that. The next time I checked on my computer somehow they had removed all of my videos,” said Della Schiava.

SMU OIT has eyes everywhere. But this is necessary for them to protect against the hackers as they continuously get more creative in their attacks to compromise SMU accounts.

If you believe your account has been compromised, Finney suggests calling the help desk at 214-768-HELP. Suspicious emails can be directly forwarded to spam@smu.edu where OIT will investigate if the email is a phishing attempt.

“Phishing touches everybody,” said Finney. “In order to keep this campus safe in the cyber world, we require vigilance from everyone because security is everyone’s job. Our best hope is that we can have a partnership with the community so that they alert us when something does not seem right.”

Leave a Reply

Your email address will not be published.