On a regular basis, UD Information Technologies sends out a phishing challenge email to a randomly selected group of UD employees. This email provides the UD community with an opportunity to practice proper handling of common phishing messages sent by fraudsters. It’s important for you to report the phishing challenge, as well as any concerning email message that you receive, to reportaphish@udel.edu.
In the paper, A Study of Social Engineering in Online Frauds, the authors found the five most common methods of persuasion used were authority, urgency, fear/threat, politeness, and formality.1 Phishers harvest public information, such as organizational charts or departmental staff lists to impersonate coworkers or supervisors – leveraging the factor of authority and appealing to urgency and politeness – to induce missteps in proper handling of a message. Phishers try to get UD employees to take actions that serve the phisher’s interests (e.g. changing your payroll direct deposit routing number or paying an invoice to a new bank account.)
With the sophistication of attacks increasing, we are taking advantage of new features in our platform to begin incorporating some of the same data, such as supervisor or department name, into our challenges.
How to handle a phishing message
Not sure if the email you just received is legitimate? First, check the senders email address carefully for misspellings or inconsistencies (udel.org instead of udel.edu). If the alleged sender is part of UD, try to contact them through a verifiable method like the UD Directory. Next, check for strange or disjointed phrasing in the text of the message. Finally, review the destination of URLs for suspicious elements. If any of these checks have you concerned, or if you confirmed the alleged UD contact did not send the message, forward it to reportaphish@udel.edu, (You can always forward any suspicious messages to reportaphish@udel.edu.) The Information Security Office assesses all reported messages and takes the necessary steps to protect the UD community.
What do we do with the results of these challenges?
Some have expressed concern over what happens when they click on links in these simulated phishing messages. The only metric we are focused on is the rate at which UD users report messages to reportaphish@udel.edu. We are NOT reporting other data metrics.
Since 2017, the UD community has increased their reporting rate of phishing emails over three fold to nearly 20%
Even if you click on a phishing link, always report the message. When it’s a UD challenge, we increase our reporting rate and gain greater understanding of our community’s awareness about phishing. When it’s a real phish, we can help reduce or prevent the consequences to you and the UD community.
Looking for more? Check out our Phishing Resource page.