Officials at UC Santa Cruz expressed their regret for sending an email to employees to teach them how to spot phishing or scam emails, which instead led to an Ebola outbreak.
UCSC conducts simulated phishing campaigns in addition to regular cybersecurity training for employees to remind faculty and staff how to identify and deal with suspicious emails.
After a phishing test intended to raise staff and student security awareness went wrong, the University of California, Santa Cruz (UCSC) found itself at the center of controversy. The test made an attempt to imitate a real-world phishing attack by erroneously claiming that there was an Ebola outbreak on campus. Instead, it caused a panic.
The Phishing Test In order to determine the campus’s susceptibility to such cyberattacks, the Information Technology Services (ITS) department at UCSC carried out a phishing test in August 2021. The email, which was meant to look like a phishing scam, told recipients that there was an Ebola outbreak on campus and urged them to click a link for more details.
However, there was no information about health provided by the link. Instead, it was a concocted scenario to see if recipients would click on the link and give away their login information, which is a common strategy in actual phishing attempts.
The email spooked people, despite its good intentions, which was made worse by its lack of clarity. As a result, complaints were filed against the ITS department, necessitating an apology that day. It was necessary for the university to reassure the community that there had been no Ebola outbreak.
The Fallout Students, staff, and their parents voiced their displeasure with the phishing test through official channels and social media. Given that it was connected to a crisis in public health, they argued that it was reckless and dangerous.
The Chief Information Officer at UCSC, Van Williams, issued an official apology and acknowledged that the test was poorly planned and carried out. To prevent similar incidents in the future, the university has pledged to review its procedures.
Best Practices for Phishing Tests The UCSC incident emphasizes how important it is to carefully plan and carry out phishing tests. Even though these kinds of tests can make people more aware of cybersecurity, they should be done in a way that doesn’t make people afraid or hurt. Consider the following recommended practices:
Prevent Sensitive Subjects: Phishing tests, especially unexpected ones, shouldn’t make people confused or afraid. Avoid topics like health emergencies, violence threats, or natural disasters.
Reviews: Each phishing test’s outcome should be carefully examined to determine its efficacy and ensure that future tests are improved based on the feedback.
Consent: The organizations’ employees can be informed without providing specifics about the possibility of phishing tests. This can support increased vigilance and lessen the impression of deception.
Communicating clearly: In a phishing email, the message should be clear and not cause confusion or fear. In order to avoid misunderstandings in the event of a concern, prompt and precise communication is essential.
Follow-Ups: Organizations should provide their teams with feedback following a phishing test, explaining the purpose of the test, what to watch out for, and how to avoid similar attacks in the future.
Conclusions The UCSC phishing test demonstrates the significance of striking a balance between security awareness and the potential to frighten. When carrying out such tests, care should always be taken. Adopting responsible and well-thought-out practices is essential to preserving internal security and trust as organizations continue to struggle against threat actors.