Targeted training for targeted phishing

Recent phishing incidents lead to new training requirements for some employees.

Recently, in a single week, four employees gave their passwords out to other people. Two gave up their username and password to a phishing e-mail; two transmitted passwords in clear text due to misconfigured systems, including a smartphone that failed to encrypt the e-mail login.

These mistakes cost time and money. It costs the laboratory an estimated $2,000 in man-hours each time a password gets revealed to phishers and is misused. In many cases, the necessary computing cleanup also forces staff to take time away from their regular work supporting the scientific mission of the laboratory and IT services.

In an effort to reduce time spent responding to password slip ups in the near future, we will require additional training for individuals who experience an incident due to a phishing e-mail.

When users give up their passwords to a phishing e-mail they will receive an automated e-mail message, describing the required training targeted to improve their skills at identifying phishing. This training will be offered through the same system used for all laboratory safety and computer training, called ESHTRK. Anyone who did not receive the e-mail can also take this training as a refresher course.

The training is an interactive online course offered by an outside vendor, and it walks the user through a variety of sample phishing e-mails. The training teaches you how to identify various threats. The goal is to make sure that all employees and users have the skills to ensure they NEVER reveal any of their passwords to anyone for any reason, whether it’s in e-mail, on the phone or in person. If you do inadvertently give up your password, notify the Service Desk immediately and tell them what happened so that they can help you reset your password and notify Computer Security.

— Mark Leininger