Nearly one in five students at Ohio State University clicked on unverified links in emails sent to them as part of a phishing simulation.
On 31 January, the IT risk management office at Ohio State University (OSU) initiated a phishing exercise against the university’s student population. Its intention was to determine how many students would click on the link. The office could then use that information to better educate students.
Gary Clark, the university’s information risk management director, expands upon the office’s motivation for conducting the simulation in the student newspaper The Lantern:
For the individual student, your identity is so critical. It’s really the loss of identity is what’s driving us to educate our students. It’s privacy, it’s identity, it’s who you are. Once the attacker has that information, they can use that against you.
Clark did not know how many students have lost their personal details to identity thieves as a result of phishing emails.
In total, 19 percent of students who received the emails clicked on the unverified links contained therein. That means close to 13,000 of the university’s 66,000+ students fell for the simulation.
It’s unclear what percentage of students opened the emails or clicked on the links multiple times.
When clicked, the links led to a page set up by the IT risk management office notifying recipients of the simulation and informing them of ways by which they can detect potentially malicious emails in the future.
Becky Mayse, a security analyst lead at Ohio State, says the simulation is a great start to improving students’ awareness of digital threats but doesn’t fully reflect the sophistication and variety of phishing attacks in circulation today.
“We actually frequently see phishing emails coming into our environment being reported that are far more sophisticated as an attack than what we send,” Mayse notes in The Lantern. “Our phishing emails are relatively easy to spot and are designed to help the user identify how to spot these emails.”
OSU students who think they’ve received a phishing email should report it to the IT risk management office at firstname.lastname@example.org.