Campuswide Phishing Training Begins This Month

Click image to enlarge Download Image

The Georgia Tech Cyber Security Team is going phishing.

Later this month, the group will conduct a campuswide phishing exercise to help educate students, faculty, and staff on cybersecurity risks and how to identify phishing threats in an email.

The exercise, which will take the form of a regular email, will contain a link to a non-Georgia Tech page that will ask you to enter your Georgia Tech login credentials. There will be apparent red flags in the email, though, that should raise suspicion and stop recipients from taking the proverbial bait. Anyone who enters a username and password on this fake page will be directed to an onscreen training page with tips on how to avoid a real threat.

“This is a non-punitive exercise, so information about individuals who provided their username and password will not be shared,” said Jason Belford, interim associate director for Georgia Tech Cyber Security. “We will review the results to help us refine our future training efforts. It is critical to conduct these continuous training exercises to help build and maintain awareness throughout the entire community.”

Georgia Tech Cyber Security has seen positive results when they have conducted similar exercises with individual departments and small groups of users on campus. In past exercises among those on campus who had not had phishing training, around 20 to 25 percent of people fell prey to the fake email. Following training, that percentage decreased to around 3 to 5. This month’s exercise, supported by the Office of the President, is the first campuswide phishing exercise and will be repeated every semester.

How big of a problem is phishing on campus? Last year, hundreds of accounts were compromised — a significant increase from previous years that has grown even larger this year. Belford notes that all notable hacks in recent years, such as those involving Target and The Home Depot, began with a phishing message.

While preventing all forms of phishing is not possible, one safeguard users can employ is to always check where the URL link in an email is pointing — before clicking. This can be done by hovering over the link before clicking, or by touching and holding on the link to preview it if you use a smartphone. If the domain doesn’t match what you expect it to, that should be a giveaway. For more information, visit www.security.gatech.edu/phishing.

Those on campus who think they have received a phishing message should forward it to phishing@gatech.edu, or just delete it. Forwarding such messages to Cyber Security helps the team use them to increase operational effectiveness as well as better understand current phishing trends.

The phishing exercise will hit inboxes in late October, coinciding with National Cyber Security Awareness Month.