Cyber Drills Keep Duke Safe

Managers across the University and Health System can request a simulated attack to train teams to spot hacking

Two fake phishing emails. Images courtesy of Duke ITSO.
Simulated phishing emails such as these were recently sent to Duke employees' inboxes. Images courtesy of the Duke Information Security Office.

In April, Kevin Wood was checking work email when he saw one from a John Wiles about Microsoft contract details. In a previous role at Duke, Wood dealt with contracts, so he clicked on the email attachment.

He immediately had second thoughts. 

Kevin Wood of the Pratt School of Engineering brings a more critical eye to email following a recent phishing exercise. Photo by Stephen Schramm.“My brain was like ‘Get out of here!’” said Wood, assistant director of facilities for the Pratt School of Engineering.

Sure enough, the attachment told him that the email was part of a phishing drill organized by the Duke Information Security Office.

IT security experts at Duke want users to understand their role in keeping data safe. Experts point to recent ransomware attacks that paralyzed energy and food companies as proof of the dangers hackers pose. 

“Our users are capable of being part of our defensive posture against these threats,” said Duke University Health System Director of Security Program Management Shelly Clark Epps, an organizer of the exercises. “This helps us train our users to be that sensor network that we need.”

On average, Duke gets about 110 million inbound emails each month. Layers of security tools and techniques filter out malicious emails, leaving about 40 million emails reaching inboxes. Safeguards can’t catch everything, so users must stay vigilant. And these simulated phishing exercises help do just that.

Managers across the University and Health System wishing to train team members to spot hacking with a simulated attack can email their request to security@duke.edu. Since starting the campaign in 2019, simulated phishing emails have been sent to users across the Health System and to eight University entities. 

A drill entails the Information Security Office sending several simulated phishing emails and charting how many click on the attachment and how many use the “Report Phish to Duke” button in Outlook email accounts. 

Judging by results, areas see major strides in spotting scam emails. For example, when a series of three similar phishing emails were sent to Duke Health Technology Solutions staff, the rate of respondents who engaged with a fake scam email dropped from 20.4 percent to 3.9 percent, and the percentage of respondents who reported the email jumped from 30.4 to 63.4.

After the Pratt School of Engineering requested a drill his year, the school’s Director of Community Engagement and Community Events, Quiana Tyson, quickly caught the fake email, noticing misspelled words, a vague subject line and suspect attachment.

“All of it made me think, ‘This doesn’t look right,’” Tyson said.

After Wood clicked on the fraudulent email, he walked to the office of Pratt’s Director of IT and Facilities Jim Daigle, who helped arrange the exercise.

“I told him, ‘You all got me pretty good,’” Wood said. “I will definitely pay closer attention from now on.” 

Send story ideas, shout-outs and photographs through our story idea form or write working@duke.edu.