University of California Santa Cruz Runs Phishing Test, Creates Ebola Scare

• UC Santa Cruz officials apologized for sending an email to train employees to recognize scam or phishing emails, which resulted in an Ebola scare instead.
• In addition to regular cybersecurity training for employees, UCSC conducts simulated phishing campaigns to remind faculty and staff about recognizing and handling suspicious emails.

The University of California, Santa Cruz (UCSC) recently found itself at the center of controversy after a phishing test to improve security awareness among staff and students went wrong. The test attempted to simulate a real-world phishing attempt by falsely claiming an Ebola outbreak on campus, but instead, it resulted in a scare.

See More: Oil Giant Halliburton’s Operations Disrupted by Cyber Incident

The Phishing Test

On August 2021, UCSC’s Information Technology Services (ITS) department conducted a phishing test to assess the campus’ vulnerability to such cyber attacks. The email designed to mimic a phishing attempt, stated that there was an Ebola outbreak on campus, and urged recipients to click on a link for more information.

However, the link did not lead to any health-related information. Instead, it was a fabricated scenario that would check whether recipients would click on the link and potentially give up their login credentials, a tactic often used in actual phishing attempts.

Despite its good intentions, the email caused a scare, worsened by the lack of clarity offered by the email. This resulted in complaints against the ITS department, forcing the issuance of an apology on that day. The university had to reassure the local community that there was no Ebola outbreak.

The Fallout

The phishing test was responded to with complaints, with students, their parents, and staff speaking about the incident on official channels and social media. They argued that such a move was dangerous and irresponsible, considering that was related to a public health crisis.

Van Williams, the Chief Information Officer at UCSC, officially apologized, acknowledging that the test was poorly thought out and executed. The university has vowed to review its practices to avoid such incidents in the future.

Phishing Test Best Practices

The incident at UCSC highlights the importance of careful planning and execution of phishing tests. While such tests can bolster cybersecurity awareness, they should be conducted in a way that does not cause undue harm or fear. Some best practices that should be considered include:

• Avoid Sensitive Topics: Phishing tests, especially unanticipated ones, should not cause confusion or fear, and topics such as health crises, threats of violence, or natural disasters should be avoided.
• Reviews: The outcome of every phishing test should be analyzed closely to assess efficacy and to ensure that future tests are optimized based on the feedback.
• Consent: Employees in the organizations can be informed about the possibility of phishing tests without the need to give specifics. This can help bolster vigilance and minimize the perception of deception.
• Clear Communication: The message in a phishing email should be clear and not incite confusion or fear. If there is any concern, prompt and clear communication is key to eliminating misunderstandings.
• Follow-Ups: After a phishing test, organizations should provide feedback to their teams, including the test’s purpose, what people should look out for, and how to avoid such attacks in the future.

Takeaways

The UCSC phishing test highlights the importance of balancing security awareness with the potential for causing fear. Execution of such tests should always be handled with caution. As organizations continue to fight an uphill battle against threat actors, adopting responsible and well-thought-out practices is vital to maintaining internal security and trust.

LATEST NEWS STORIES

• Google To Pay About $250 Million To Support Local Journalism In California
• US Judge Blocks FTC’s Ban on Noncompete Agreements
• Toyota Confirms Exposure of Customer and Employee Data in Data Breach