UNH is a gold mine of personal data, and that’s why we’re an attractive target for aggressive phishing attacks. The best way to prevent attacks is to empower individuals with the knowledge and training needed to identify phishing emails and handle them safely.
Over the past two years, Enterprise Technology & Services (ET&S) has increased its prevention efforts by launching an awareness program to educate UNH students, faculty and staff on how to identify, avoid and report phishing attacks. The program includes in-person presentations to UNH departments, the introduction of The Phish Bowl, an online Canvas training course, and outreach at the last two University Days. ET&S also conducts periodic phishing simulations designed to mimic real phishing attacks and give UNH community members a realistic experience in a safe and controlled environment.
UNH Experience
The UNH ET&S Phishing Awareness Program produced favorable results for employees. Since its launch for employees in fall 2017, the program decreased susceptibility:
- Compromised Data Entry — 82% decrease in credential entry
- What this means: phishing emails often try to trick recipients into entering their username and password on a fake website, thus capturing these credentials. During the first year of the program, the number of faculty and staff entering credentials decreased by 80%.
- Malicious attachments — 50% decrease in susceptibility
- What this means: many phishing emails include malicious attachments. Throughout this program, the number of faculty and staff who opened malicious attachments decreased by 50%.
Timing Matters
Across all campaigns, the first four hours of an attack are the highest risk for user susceptibility, which is why reporting is so essential. The sooner we all report phishing attacks, the faster ET&S can post to the Phishbowl and spread the word.
Over the life of the phishing awareness program, employee reporting gradually increased by 30% over the first simulation, where ET&S tracked the number who reported the email to the most recent campaign.
Students
In fall 2019, students received communication about UNH phishing awareness efforts before receiving their first simulated phishing emails. In the first simulated phishing attack against students:
- 8% of all students clicked on the link included in the fake phishing message
- 3% entered their credentials
While these numbers are relatively favorable, when you consider the size of the student body, 3% equates to more than 650 students who provided their credentials. Additionally, it became clear students don’t know what to do when they receive an email they suspect is phishing. To address this, ET&S was set to launch a student-centric phishing awareness push during the spring semester 2020, but it was postponed due to the COVID-19 shutdown.
