IT Security Team Offers up Fishing Prize to Thwart Phishers
This tackle box is the grand prize in the phishing tournament.
The IT Security Team is conducting a phishing tournament at Utah State University from May 23-June 4.
The team is offering a “cool fishing tackle box” as a grand prize even though the type of phishing it is keyed into has everything to do with cyber security and nothing to do with snagging fish. Phishing is a term hackers coined in 1996 that has come be a label for a wide variety of online email fraud that is aimed at deceiving their victims into giving up passwords, money, or other valuable information.
Those who spot suspicious emails and report them to phish@usu.edu between May 23 and June 4, will be entered into a drawing for the fishing tackle box.
Bob Bayn, a network security analyst in IT, spends much of his time trying to protect USU from phishing attacks and dealing with the headaches caused when the misleading emails are successful. So far in 2016, USU identified and thwarted more than 600 separate phishing attacks.
The Phonemon Institute, an independent private research firm that investigates privacy, data protection and information security policy, estimates that phishing costs the average 10,000-employee company about $4 million a year.
Bayn said part of what runs up that phish-related tab is the time and work that must be invested to deal with the aftermath of a successful attack. Some 90 percent of the time phishers are trying to gain access to someone’s email account, Bayn said. And many times, when they are successful, they will use your account to launch a spam campaign going out to 50,000 to 100,000 or more recipients.
“Once black hats have access to your email account they can do all sorts of damage,” Bayn said. “Universities are attacked far more often than you might think. We fight back, however. At USU there are hundreds of people who notify us when they spot a suspicious message and that allows us to warn others at USU of the bogus emails before they trip up someone. I consider anyone who helps us out by reporting such emails part of my ‘internet skeptic team.’”
Bayn has been at it for several years educating people and urging them to become internet skeptics. He said, overall, USU employees have become quite good at thwarting phishing attempts and that brings the vast majority of the attacks to a premature and swift end.
When someone does report a phishing message, Bayn has a number of things he consistently does such as warn others at USU who have also received the message, blacklist the link so it won’t work anymore at USU, and notify the hosting service that the phishers used. He also lets phish-tracking websites know about it and takes a number of other steps that might collectively force a cyber-crook to go back to the drawing board.
“They will keep coming up with new approaches to get around our filters,” Bayn said. “That’s why I value our internet skeptics so much and that’s why they play such a critical role in cyber security for USU.”
Bayn said that USU gets between 1 and 1.8 million email messages a day and only about 90 thousand of them are delivered because USU’s filters take out so much spam and unwelcome email.
While Bayn said he appreciates it when someone just forwards an email to phish@usu.edu, there is a way to do it that gives him more information about the attacker. Click here to learn more about how to detect phishing messages and the best way to forward them to phish@usu.edu.
Miles Johnson leads USU’s IT Security Team. It was his idea to do the contest as an experiment to see if it would remind people of the importance of reporting phishing attacks.
“We aren’t offering up a new car, of course, but we bought a pretty cool fishing tackle box that could be used for more than just organizing fishing supplies,” he said. “We stocked it with stuff like Gummy Worms and other fun things.”
Johnson said that Bayn has dealt very effectively with phishing issues for several years and as a result of his efforts hundreds of people report suspicious emails to him. There’s a downside to Bayn’s success, however, Johnson said.
“Many people report things directly to Bob, instead of to phish@usu.edu, an email address we have set up for this kind of thing,” he said. “That’s a problem because Bob is retiring in August.”
For more information about the most effective ways to recognize and report phishing attempts see the story on the it.usu.edu web page headlined, “IT Security offers tips for recognizing and reporting phishing attempts.”
Writer and contact: Steve Eaton, IT communications, 797-0059, steve.eaton@usu.edu
Comments and questions regarding this article may be directed to the contact person listed on this page.
