The phishing email was posed to look like Human Resources were sharing a file from Office 365.

The results revealed that around 1 in 8 colleagues clicked on the link within the email and entered their details. This means 823 accounts could have been compromised had the email been a real phishing attack against the University.

These 823 staff members were then invited to undertake a short online training course about phishing and information security, however only 12% took part. It is important that all staff members at the University understand how to keep their account secure and recognise the signs of a phishing email.

You might read this and think, “But my account doesn’t have any important information stored, so surely I wouldn’t be targeted?”.

That may be true, but your work account can gain access to a whole host of things at the University. By taking control of your account, an attacker can easily trick others who wouldn’t suspect otherwise from a colleague. It’s about more than yourself; it’s about protecting our research, our work, our reputation, our data, and most importantly, our staff and students.  

What is phishing?

Phishing is the term applied to email scams that attempt to obtain sensitive information such as usernames, passwords, personal information, bank account details and credit card numbers. They may try to pose as an official at your workplace, your bank, or your social media account.

The risk of a compromised account

Most attacks at an organisation start with just one compromised account, and phishing is one of the most common ways this happens.

Multiple universities within the UK have had their systems attacked by ransomware in the last eighteen months. Institutions such as the University of Sunderland and Newcastle University both experienced significant issues with their operations following such attacks, which took weeks to fix and resulted in financial implications too. More recent attacks targeting US universities reveal a new trend to create phishing emails that include topical content, such as important Covid-19 information and taking a similar theme of appearing to come from Office 365,  or asking a student to click on a link to find out details about their upcoming exams.

How to avoid falling victim to a phishing attack

There are a number of measures you can take to protect your work account. Multi-factor authentication – an additional layer of security involving another device – has been implemented at the University and it makes it harder for someone to exploit or use stolen credentials to conduct an attack on the University. Installing and using the Virtual Private Network (VPN) while working can also keep our data more secure.

This doesn’t provide 100% protection though. Criminals are finding smarter ways than ever before to target organisations and their workforce.

Keep your user credentials secure and safe, do not share your credentials with anyone, and ensure you have a strong password. You can find more security tips on the IT Security webpages.

If you have the slightest suspicion that an email doesn’t look or read right, take a moment to pause. If the request seems unusual – even if it’s supposedly from a senior manager – you still don’t need to rush a response or click on a link.

You can report a suspicious email to phishing@lboro.ac.uk. By doing so, the team will investigate its legitimacy and take appropriate action where necessary. You can find out more here.

 You will be contacted soon with some feedback on your interaction with the phishing exercise. A link to the phishing training will be included as part of this communication; please ensure you put some time aside to work through the training materials and complete the short quiz.