On December 3rd, 2014, Information Security and Policy (ISP) sent a simulated phishing email to all staff and faculty as part of a new phishing educational campaign. The email used the same tricks phishers use to get recipients to lower their guard and give up sensitive information. The first simulated phish informed recipients that their accounts would be terminated it they did not click on a link and enter their password within 24 hours.
On January 23rd, a follow-up simulated phishing email was sent to only those staff and faculty who fell victim to the first phish.
The purpose of this campaign is educational. Information about individual responses will NOT be shared with supervisors or HR. The goal of this simulated phishing campaign is to help you to learn how to spot a phish!
How did we do?
The majority of staff and faculty did not respond to December's email, by clicking on the link. However, approximately 330 staff and faculty members (2.2%) fell for the phish and clicked on the link. On January 23rd we sent a follow-up email only to those who fell victim to December's phish. This time, 117 (35%) again fell victim.
Had this been a real phishing attack, those individuals who clicked on the link could have compromised their CalNet credentials or become infected with a computer virus designed to steal their sensitive data or account information.
Next Month's Simulated Phish
Each month ISP will send out an increasingly more sophisticated phish using the same tactics phishers use to trick you into lowering your guard.
Next month's simulated phishing email may be addressed to you personally. Or, the link in the email may send you to a page that looks very similar to a trusted site. After you land on a webpage check the address bar again. Before you enter your CalNet credentials make sure the URL starts with "https://auth.berkeley.edu/".
Trusted UCB authentication pages will never have anything phishy BEFORE the first single slash. Fraudulent login screens designed to steal your credentials may LOOK authentic if you're not paying attention to the URL.
We want you to keep your guard up. Always ask for help if you suspect anything looks phishy by contacting firstname.lastname@example.org.
Visit our Phishing resources page for more information on how to protect yourself against scams.