Employee cybersecurity training programs and phishing tests are usually a good thing for cyber preparedness, but one university went way too far and wound up causing a panic.
Last week, students and staff at the University of California Santa Cruz (UCSC) received an email with the subject line “Emergency Notification: Ebola Virus Case on Campus” that warned them that a staff member who had recently traveled to Africa had tested positive for the Ebola virus.
The email came from a non-university email address and directed users to an information site that one recipient said on Reddit was a Proofpoint phishing training site.
The university apologized for the misguided phishing test, but not before causing panic and outrage among some UCSC community members. The university deserves credit for educating students and staff about cyber risks, but phishing tests should be designed with a strategic organizational goal in mind, like protecting data and credentials.
UCSC Ebola Phishing Email Breaks the Mold
Phishing tests at most organizations tend to be aimed at training employees not to divulge sensitive information or click on harmful links or attachments that could trigger a malware attack or credential theft, so such tests typically take the form of, say, an urgent fake message from the CEO directing the recipient to an external link or document. If the employee stops to think, they’ll recognize the phishing attempt and report it to IT. If they click, they’ll politely be informed that they failed the test.
Hoo boy did the UCSC email break the mold.
UCSC assistant sociology professor Alicia Riley sent an email to the university’s security team criticizing the choice of a false Ebola claim for a phishing test, the Santa Cruz Lookout reported.
“As a population health scientist who studies infectious disease mortality and teaches about Ebola, I find it irresponsible and in poor taste to use this topic for a simulated phishing attack email that went out to the university community on a Sunday morning, no less,” Riley wrote.
UCSC CISO Brian Hall apologized in an email to the university community the day after the test.
“The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging,” Hall wrote. “We sincerely apologize for this oversight.”
He added that the use of Ebola in the phishing test “inadvertently perpetuated harmful information about South Africa.”
UCSC Phishing Test Served No Useful Purpose
A phishing test should teach recipients about the value of information and the importance of inspecting links, addresses and other context before clicking or acting.
While a sense of urgency is key, panicking recipients with fears of a highly fatal disease that hasn’t been seen in the U.S. in a decade doesn’t serve any useful purpose.
