Staff and students reveal their login details en masse when sent a phishing email, it turns out from a test the IT department ran. They sent a fake phishing message to a large number of staff and students.
Photo: Joe Athialy
The email (see below) looked to the recipients as if it had come from the ‘Outlook system administrator’. In bad Dutch, it said that all users had to update their email account within 48 hours, otherwise it would be terminated. A link took the recipient to an external website where they could enter their login details. Incidentally, there was no sign of the Wageningen UR name or logo on the site. What is more, the email was not sent from the WUR domain and the phishing had even been announced on the intranet.Of the 5000 staff and students who were sent the message, about 1500 clicked the link and 1000 students and staff then actually entered their details. If this had been a real phishing message, cyber criminals could have stolen information from their accounts or used them to send spam from the university network.
The IT department is shocked by the results. ‘We expected perhaps two percent to fall for the trap,’ says IT security manager Raoul Vernède, ‘but the numbers kept on rising.’ He wants to raise awareness among staff and students about the dangers of shady emails. The idea is to hold information meetings to show people how to recognize phishing and explain why it is so dangerous.
Fortunately a lot of WUR people were alert to what was going on. For instance, students put up warnings about the email on Facebook and the IT department got hundreds of concerned emails and phone calls. Some wise guys even realized it was a test: they discovered that the domain the emails came from belonged to the IT department.