Friday, April 26, 2019

SUNY Phishing Training Results

The Results are in, first, let me thank everyone for being part of this phishing training exercise without it we would not be able to improve upon our technology security measures and awareness.

Many of us, 3,839 CCC users received a phishing email that looked like the following:


"From: CCC IT <security@blackboardinfo.us>
Date: Wed, Apr 10, 2019 at 11:52 PM
Subject: URGENTReset your MyCCC password
To: Your Name <YourUserID@corning-cc.edu>


Your First Name,
We have increased our password requirements for security purposes. Please use the link below within 24 hours to maintain access to your account.
Thank you,
CCC IT
This email was intended for Your Name."

This email which was sent on April 10, 11, and 12 was part of the phishing training exercise.  When a user clicked on the "Click here" link it opened a web page to log into a fake MyCCC login page where it asked for the user's login information.  If a user logged in they were presented with some educational information about phishing which is shared below.  The key indicators that this email  was a phishing attempt are that it is from a user that is not from an @corning-cc.edu email address, the email wants you to do something soon or else and click on some link.


Now for the results, the below graph has three columns, the first "Emails Sent" column indicates the total emails that were sent to all CCC users, the second "Click Rate" column indicates all users that clicked on the "Click here" link, the third column indicates all users that logged into the fake MyCCC website:


And this below graph shows how CCC compares to other SUNY Schools.  CCC had a click rate of 17%, which is slightly higher than the SUNY average click rate of 16%. The form submission rate was significantly higher with the SUNY rate of 8% compared to 14% of Corning Community College users:

Here are a few things you can do to help guard against phishing attacks:
  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk (607)962-9555. 
  • Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
  • Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.