When you think about hacking, you usually think about a dark room, a shadowy figure and rolling green text on a black screen. However, in most cases, exploiting human nature is the easiest path to any organization. The tactic involving the exploitation of that human factor is better known as social engineering. In 2022, the Federal Trade Commission reported that over $8.8 billion was lost through impersonation techniques, with over 2.4 million reports filed. Not only do social engineering attacks affect everyday people, but the interaction made by the recipients can allow attackers to perform large-scale breaches and ransomware attacks that expose sensitive information to the world.
To help our students prepare for this uphill battle, an initiative was led by our IT Security department to expand phishing campaign training simulations. The push to expand this experience, usually intended for faculty and staff to now include students, stems from the continuous learning model that Madison College strives to achieve.
The campus-wide initiative took place on Feb. 14 and consisted of 38,378 additional emails being sent out to students. As of Feb. 20, the statistics gathered from this campaign have laid out a clear starting line from which we can improve. Out of the emails sent, only 0.74% of students reported the email, 4.96% deleted the email, and 86.76% of students simply ignored it.
Some reading this article may disregard the statistics as irrelevant to their situation, but they truly do have a significant impact on both their lives and professional careers. Bad actors will consistently seek out every opportunity to infiltrate an organization but will most commonly begin with social engineering techniques. So, whether you are entering the healthcare, business, manufacturing, or design sectors, you are just as much of a target as the next. Without the proper training and commitment to safe practices, it makes you even more vulnerable in this situation.
On a larger scale, the breaches we see on the news are mostly a result of phishing campaigns and other social engineering tactics. The scale of these attacks can range from an individual to massive disruption of businesses or even our country. The trading and logistics infrastructure runs off precise planning and maintaining data integrity. We have seen the disruption that nation-state actors have caused through pipeline disruption in the past, and this is not the last time we will come across those threats.
The threats demonstrated in this learning experience are very similar to those we face in our personal lives and professional careers. This campaign was intended to raise awareness and promote email hygiene. To do this, we provide a short training program to help you keep yourself safe from future threats that could have real-world consequences.
One of the most common beliefs is that the solution to the issue is to simply ignore or delete the email, which was demonstrated in the statistics we received from this campaign. Unfortunately, that does not solve the problem. Reporting a suspicious email as phishing or spam is as easy as a few clicks and can even save countless others throughout campus from these threats. Features made available through Google or Microsoft also make it easier to report these threats and, in turn, add to their available data to improve their automated phish detection technology.
The future of security will always rely on human nature, and we will never see the end of these attacks. The days of easily sniffing out phishing emails and scam calls through broken grammar are reaching their end. With the evolution of AI and voice manipulation, the threat is more potent than ever.
To help combat this and strive for a safe digital environment for Madison College, the IT Security department plans on continuing phishing education opportunities. It’s important to emphasize that as helpful as the statistics from this simulation have been, they aren’t the only focus.
The point of this exercise was not to shame or frustrate but to educate. These numbers give us a starting point where we can find and implement new ways to keep ourselves and each other safe. Our hope is that this experience will help people identify and report suspicious emails. We’d rather have someone click on one of our emails than click on one from a bad actor.
To learn more about social engineering, provide feedback, or suggest opportunities for education, please email us at [email protected].