We recently ran a phishing simulation using a new service we purchased – Sophos Phish Threat.
Phishing involves sending someone a message, usually via email, pretending to be someone else. The goal is to capture the person’s credentials by tricking them into clicking a link and entering their username and password into a fake login page.
The Sophos Phish Threat service simulates an email phishing attack. It provides us with information on how many staff detected and reported the email, and how many were tricked into entering their credentials.
The results from this recent simulation show a marked improvement from the one we ran using Duo Security in December 2019. The number of staff who were tricked dropped by 82.7% and the number of staff who reported the phishing email as spam improved by 64.8%. These are very encouraging results.
Cyber-attacks have become more focused on exploiting the human element to bypass security controls. The intent is to gain unauthorised access to computing systems and information for cybercrime or political purposes.
Tricking a staff member to disclose their password, rather than trying to defeat strong technical controls, can be a more effective way to gain unauthorised access to Charles Sturt information.
Running phishing simulations helps us to measure the effectiveness of our security awareness training. We can use the results to better target our training for the greatest impact.
Protect yourself and the university
There are many ways to detect phishing emails. To brush up on your detection skills, watch this 1-minute video from the Australian Cyber Security Centre.
If you do spot a phishing email you can report it using the “Report as Spam” button on your Outlook ribbon or forward the email to firstname.lastname@example.org.
If you think you have been tricked into disclosing your Charles Sturt password you should change it immediately.
For further information or advice on phishing or other IT security matters contact the IT Service Desk.