We’ve all heard of phishing scams, but how many of us are truly aware enough to resist one?
Rachel Cleary ’21 wanted to find out. The recent computer science graduate took an Intro to Cybersecurity course at Siena and knew she had found her calling. She signed up for all the classes she could on the topic, but wanted to take her studies even further so she could better leverage herself for the job market.
She developed a semester-long independent study project on phishing with the help of Jack Armitage, M.S., visiting instructor in computer science. She asked for student and faculty/administrator volunteers via the Daily Digests in an effort to determine just how susceptible people are to fraudulent emails that try to trick people into revealing personal information such as passwords or credit card numbers, or that can introduce malware into a user’s system.
Don’t feel bad, Siena. Even though this is a highly educated crowd, 19 percent of students and 15 percent of faculty/admin volunteers clicked a link on Cleary’s trick message related to COVID stimulus funding. No worries – no one actually shared any digits or passwords in the study.
“Honestly, it surprised me a little,” said Cleary.
If the volunteers already knew they would be participating in a phishing study, didn’t they know to be on alert for a scam? Cleary got around that by waiting a few weeks between confirming their participation and launching her carefully crafted email related to a current event: stimulus funds.
“…We are writing to provide you with information about last minute changes made to qualifications for stimulus for working families. If you are interested in finding out if you are eligible, complete the Stimulus Eligibility Inquiry [with a link] and we will contact you with more information.”
It was signed by the “Siena College COVID Relief Team.”
“I wanted to get real experience on what makes people click on a phishing letter, in real time with human subjects,” said Cleary. “The goal was to increase awareness about phishing and how dangerous it can be.”
Armitage said the entire project was approved by various College departments. Cybersecurity studies like these are considered “ethical hacking” as no personal information was revealed, subjects agreed to participate, and the study was designed for educational and research purposes.
Angelo Santabarbara, Director of Networks and Systems in ITS, assisted Cleary in setting up her research.
“Phishing is something that occurs regularly against higher education accounts. Scammers are constantly trying to create emails that look trustworthy in order to steal information and account access,” said Santabarbara. “Rachel did a great job impersonating a hacker using basic and free tools to design a very successful phishing campaign. Research like this reinforces how critical it is to train the community about identifying and avoiding common cybersecurity perils.”
When the project results were evaluated and written up, Cleary sent out a debriefing email to all volunteers on May 21. She shared advice on how to spot phishing emails and how to avoid getting caught by them.
“Any sender can change the sender label to make it show up as something it’s not,” she said. “Also, phishing messages can use actual compromised accounts within an organization, which makes it very hard to tell if it’s legitimate. Always stop to ask yourself if the request makes business sense.”
Other tips:
- Check with Siena’s ITS department if you have questions about an email.
- Never give out personal info or documents unless it’s to a trusted, verified source.
- If you feel rushed to respond or if there are unusual incentives, that’s a good sign it could be phishing.
Although it usually takes about five years to break into the cybersecurity field, Cleary already has a job lined up with Collins Aerospace in Annapolis, MD. She’ll be telecommuting from her family’s home near Syracuse.
“This project played a huge role in Rachel getting her job in cybersecurity,” said Armitage.