James King was scanning his email inbox when he spotted an unexpected message that said “David” tagged him in a photo and asked him to click a link to see the picture.
While normally suspicious of vague messages, King had good reason to believe this was real. His manager’s name is David, and his team recently had a socially distanced get together for a colleague’s retirement.
He clicked the link.
A message greeted King, a service desk analyst for Duke Health Technology Solutions (DHTS). He had fallen for the Duke Health Security Office's simulated phishing attack.
“If I had taken another moment, I would have definitely seen that it didn’t come from the right email address or have my manager’s email signature,” King said. “I should have taken a second before clicking on anything.”
The Duke Health Security Office administers a twice-annual phishing campaign to teach staff and faculty how to spot and report an attack, which is when a hacker tries to steal sensitive information such as usernames, passwords, social security numbers and credit card details.
The test automatically goes to all Duke Health employees, as well as Duke University schools, departments and units that opt-in for the simulated exercises in the spring and fall. University managers who would like to enroll their teams in phishing exercises can request to be added by contacting the Duke Health Security Office.
Managers can also contact the Duke Health Security Office to schedule one-time phishing exercises in which IT security officers work with a manager to customize an attack and provide follow-up education on how to avoid email scams.
During a simulated exercise, the security office will mimic a phishing attempt by sending an email asking recipients to click a link. The link takes a recipient to a message informing them of the fake phishing attack.
According to Duke’s IT Security Office, about 90 million emails were sent to Duke email addresses in August of this year. About 60 million of them were spam or phishing attempts and blocked.
Shelly Clark Epps, program lead for the Duke Health Security Office, said signs of scams such as poor grammar and spelling errors can indicate phishing attempts. She said to examine links and the sender’s email address before engaging with any message.
And if a message appears suspicious, don’t click, she said. Instead, report it with the “Report Phish to Duke” button or the home toolbar on Outlook on Windows, Mac and Web.
Duke’s IT security offices continue to see an increase in cyber-attacks related to COVID-19. Attackers try to take advantage of fear and use the guise of COVID-19 news to phish for personal or financial information.
“Phishing is the easiest and fastest way for people to steal information,” Epps said. “We’re in the middle of a pandemic in which many of us are working from home. We’re in the middle of an election. There’s a lot of information coming in, and that’s when phishing attacks strike."
Keith Goeller, director of technology for Duke Credit Union, enrolled his office in a test in August. Goeller said the program provides an opportunity for colleagues to stay vigilant and report attacks.
“Phishing is a top concern for our employees and members,” Goeller said. “The bad guys are getting better at this, so we want to give our community the knowledge to avoid phishing attacks.”
The Duke Health Security Office saw an improvement in how the Duke community responded to the automatic phishing campaigns conducted this year. Click rates on the mock attack dropped from 36 percent in February to 22 percent in August of the roughly 38,000 employees and contractors in the Health System and University who participated.
Also, the percentage of employees who reported the phishing attack doubled from 5 percent in February to 10 percent in August.
Katie Galbraith, president of Duke Regional Hospital, was part of the simulated exercises in February and August. Galbraith failed the phishing exercise in February when employees received a mock Valentine’s e-card. Galbraith thought her mother sent the message.
“I thought I was good at spotting spam,” Galbraith said. “I was sorely mistaken.”
But in August, she reported the suspicious message using the “Report Phish” button after she received an email claiming someone tagged her in a photo.
“It didn’t look real. I took my time to think through before clicking on anything in the message,” Galbraith said. “I’ve learned my lesson.”