SUNY Phishing Training Results

The Results are in, first, let me thank everyone for being part of this phishing training exercise without it we would not be able to improve upon our technology security measures and awareness.

Many of us, 3,839 CCC users received a phishing email that looked like the following:

"From: CCC IT <security@blackboardinfo.us>
Date: Wed, Apr 10, 2019 at 11:52 PM
Subject: URGENT: Reset your MyCCC password
To: Your Name <YourUserID@corning-cc.edu>

Your First Name,

We have increased our password requirements for security purposes. Please use the link below within 24 hours to maintain access to your account.

Click here

Thank you,

CCC IT

This email was intended for Your Name."

This email which was sent on April 10, 11, and 12 was part of the phishing training exercise.  When a user clicked on the "Click here" link it opened a web page to log into a fake MyCCC login page where it asked for the user's login information.  If a user logged in they were presented with some educational information about phishing which is shared below.  The key indicators that this email  was a phishing attempt are that it is from a user that is not from an @corning-cc.edu email address, the email wants you to do something soon or else and click on some link.

Now for the results, the below graph has three columns, the first "Emails Sent" column indicates the total emails that were sent to all CCC users, the second "Click Rate" column indicates all users that clicked on the "Click here" link, the third column indicates all users that logged into the fake MyCCC website:

And this below graph shows how CCC compares to other SUNY Schools.  CCC had a click rate of 17%, which is slightly higher than the SUNY average click rate of 16%. The form submission rate was significantly higher with the SUNY rate of 8% compared to 14% of Corning Community College users:

Here are a few things you can do to help guard against phishing attacks:

• Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
• Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk (607)962-9555. 
• Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
• Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
• Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
• Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
• Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
• Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.

What Is Phishing and How Do I Protect Myself? (2:28 min)

April 2019: Whaling, SMiShing, and Vishing…Oh My!

Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:

• Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called "whaling").
• SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
• Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

• Don't react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don't fall for it!
• Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company.
• Know the signs: Does the message/phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!