Gone phishing: CIT launches internal phishing campaign


Glenn Carstens-Peters

Phishing is a significant cybercrime that targets higher education institutions.

There’s no need to worry if you receive a suspicious email at your Calvin address; chances are, you’re being internally phished. 

Between 2018 and 2019, members of the Calvin community were victims of over 200 cases of phishing. These incidents are part of a wider phenomenon; between 2005 and 2014, 324 higher education institutions were victims of 562 documented data breaches, with phishing accounting for a large portion of them, according to the EDUCAUSE Center for Analysis and Research. 

“Higher ed institutions, if you think about it, have thousands and thousands of people here. If you’re open, meaning that there aren’t a lot of protections in place, then it becomes an easy target [for phishing],” said Adam Vedra, associate CIO and chief information security officer at Calvin Information Technology. 

Calvin’s plan for dealing with the data breach crisis in higher education? Sending phishing emails internally with the aim that students, staff and faculty will recognize and report said emails. 

“The purpose of the simulations is to enhance the university’s security program and improve our cyber security posture in a safe environment, thereby helping you spot real phishing emails in the future,” said Vedra in the email.

Phishing is a cyber attack that attempts to collect personal information by tricking victims into providing personal information on websites that appear to be credible, with cybercriminals impersonating a legitimate person or organization. “It’s done by cybercriminals all across the world,” Vedra told Chimes. “The idea is that they’re trying to either trick you into doing something or tricking you into giving you information that they want.” 

This isn’t the first time CIT has attempted an internal phishing campaign; one was initiated over 10 years ago, but it fizzled out after the department didn’t see the desired results. This time around, CIT hopes that the new tools and technology used to run the campaign will yield the outcomes they’re looking for.

Phishing might take the form of a trusted professional seeking assistance with a task or a well-known website requiring account verification. According to information security analyst John Fleuressaint, regardless of how the email appears, it has the potential to harm one’s “finances, personal information, and even reputation.” 

In fact, phishing emails are rarely as random as they appear. “Phishing can be as serious as the person doing their reconnaissance first — they look for information about whoever they are targeting and then they look for information about whoever they want to appear to be,” said Fleuressaint. 

Phishing also exploits victims’ most susceptible emotions, as cybercriminals use emotions like panic and urgency to entice victims. “There’s always some sort of call to action and they want to raise your level of panic. That seems to be a really consistent element in phishing,” said Vedra. 

The best method to educate a community full of busy schedules and events, according to CIT, is to bring the education about phishing directly to them by offering resources in the one place they check the most: their inbox. “Right at the moment that they fall for the phish that we send, we provide instantaneous feedback … we have supporting material that will be emailed afterwards that says ‘watch this two minute video and learn more’,’” said Vendra. 

CIT hopes that members of the Calvin community will start to pay attention to the finer details in the emails they receive so they can recognize suspicious emails in the future. According to network administrator Mike Krueger, these details can include sender information like email addresses, misspellings and poor punctuation, and use of an unusual tone within the content of an email. 

CIT also hopes that this internal phishing campaign will teach people not just how to be more aware of their email behavior, but how to be more aware of their complete digital footprint.

“What we would hope is that students would just pause and take two or three seconds to consider ‘is this an email I was expecting?’. If it’s unclear, they should find some other way to verify. If you verify, you saved yourself a lot of pain,” said Vedra. Verification, according to Vedra, can include contacting senders directly or checking digital accounts frequently for suspicious activity. 

There’s no need to be concerned if you fall for the internal phishing trap, as CIT will not acquire personal data. Internal phishing emails, according to Vedra, Fleurssaint and Krueger, are a safe approach to get exposed to and educated on the complexity of phishing. “Cybersecurity is everybody’s job … we need everybody’s abilities and awareness about all the threats that are out there to keep rising.” said Vedra.