Self-Phishing

What is Phishing?

Phishing is the sending of messages which attempt to trick you into divulging confidential information, such as passwords, account numbers or personal details about yourself. These messages may vary in tone and content, but they typically have three defining features:

  1. A request for confidential information that the organization being impersonated would never ask for in an email. KU IT, for example, will never ask you for your password. Your bank will never ask you for your account number.
  2. A call to action. The email will ask you to respond to the sender, click a link, open an attachment or even call a phone number.
  3. An attempt to create a sense of urgency. The email will try to scare you. For example, the sender may threaten that if you don’t respond, you will lose access to your account or be penalized in some way.

What is Self-phishing?

The Information Technology Security Office (ITSO) sends out a message to campus that imitates the kinds of phishing messages that frequently target KU faculty and staff. These self-phish messages will contain a link that, if clicked, will take the recipient to a fake page with log in. That page is hosted on the KU network. If someone logs into the page, it will display a message about the self-phishing exercise.

Why Does KU Do Self-Phishing?

According to IBM Security Intelligence, one in five recipients of a phishing message will fall for it and hand over sensitive information, such as usernames, passwords and account numbers. This is an area in which KU wants to be well below average. Knowing what exploits our KU customers fall for will help us better target our security awareness training efforts.

Through our phishing exercises we have learned that if phishing recipients click the link in an email, it is highly likely they will give up their credentials (i.e., user ID and password). In past self-phishing exercises, up to 77 percent of KU people who clicked the link in our self-phishing emails submitted their KU Online ID and password to our fake website. In a real phishing attempt, more than 700 sets of credentials could have been stolen in those cases.

Our self-phishing exercises continue to show that we must improve the security awareness and response of KU faculty and staff.

If I Fall for the Self-phishing Message, Will I Get in Trouble?

No. These exercises are meant to help KU IT assess and improve security awareness within the KU community, and are not meant to penalize people who did not spot the phishing attempt.