Gone Phishing: Did you take IT’s bait?

In late February, the Emerson Information Technology Department, with the Faculty Tech Committee, sent out more than 1,900 phishing emails to faculty, staff, and temporary workers. They weren’t hoping to get sensitive information. They were hoping not to.

IT had recently given a campus-wide security training and wanted to know if Emerson employees had absorbed it. Roughly 200 employees knew a phishing scam when they saw it and reported it to IT, according to the department’s information system security administrator, Dennis Levine. For their efforts, they were entered into a random drawing, and 10 of them were rewarded with Ben & Jerry’s gift certificates.

That’s the good news.

The bad news is that 78 people did not recognize the phishing expedition and gave up information to “a potential bad guy,” said Levine.

“When we hand a bad guy our credentials, we not only risk the college’s data, but any other account—banking, PayPal, social media, etc.—for which we may have used that password, as well as any Emerson service that uses ECnet credentials (e.g., eCommon, Box, Canvas),” he said.  

Any time an email asks for personal information and looks suspicious, employees should check in with IT before doing anything, Levine said. Signs that an email might be phishy include bad grammar, lack of formatting, vagueness, or threats to lock you out of your account or other bad outcomes if you don’t take action.

The 10 employees who are probably enjoying a Phish Food cone at this very moment are: Haley Bresnahan (Graduate Admission); Barry Brodsky (Professional Studies); Jack Casey (WERS); David Emblidge, Eric Marshall, and Pamela Painter (Writing, Literature and Publishing); April Jones (Finance); Magda Romanska (Performing Arts); David Weinstein (Ploughshares); and Brenda Wrigley (Marketing Communication).