Self-Phishing CampaignDon't take the bait.
What is Phishing?
Phishing is an attempt to steal your personal information, usually via a fraudulent email message or phone call. The people who do this pose as representatives of trusted, well-known organizations and ask for information that will allow them to impersonate their victims.
Why conduct a self-phishing campaign?
Prevention offers the first line of defense against cyberattacks. Helping you better protect yourself from phishing helps you and Penn State.
How did the self-phishing campaign work?
During the week of February 6, Penn State conducted its first-ever self-phishing campaign. All full-time faculty and staff received an email appearing to come from “EmployeeCulture@psu.net” with the subject line, “Mandatory Culture Survey.” The email looked like this:
What Should I Have Recognized in the Self-Phishing Message?
Know the Lingo
- Penn State doesn’t refer to your Webaccess ID as “PSU user name.”
- Penn State would not require you to take a culture survey to “qualify for a yearly general salary increase.”
Check the Sender
- Penn State does not have an “Office of Employee Culture.”
- The email contains no follow-up or contact information.
- The message appears to come from “Employeeculture@psu.net.” Official Penn State emails typically come from psu.edu addresses.
The Write Stuff
- The message style and “tone” does not match what typically comes through official Penn State channels.
- Penn State will NEVER ask you for your full social security number, Webaccess password, or other sensitive information via email.
What if I clicked on the self-phishing message?
People who clicked on the self-phishing message were re-directed to a fake Webaccess page, which looked like this:
What should I have recognized from the fake Webacess page?
Image is Everything
- The Penn State logo used on this page was from Penn State athletics, not the official “shield” logo.
- The “WebAccess” background was a photo of the Creamery, not the current correct photo of the University.
- The login page did not show the typical Privacy and Legal Statements
- The copyright statement was absent
- The Nondiscrimination Policy link was missing
- The password prompts (“I forgot my password”/”Change my Penn State Account password”) were missing
Okay, I fell for the phish. How do I protect myself in the future?
- Trust your instincts. If an email seems suspicious, call the sender or email them directly.
- If you click on the link “just to check” to see if it’s authentic, it may already be too late. Even clicking on a malicious link can infect your system with malware or other malicious code.
Spell it Out.
- Sometimes (but definitely not always!), phishing attacks contain grammatical errors or spelling mistakes.
- Notice how the message is structured–does it make sense? Does it use the same writing style or information that the real sender typically does?
How can I make sure my emails aren’t mistaken for phishing attempts?
Check it Twice!
- Little details matter: run a spell-check and grammar check prior to sending email
- Instead of sending direct links, consider offering easy-to-follow navigation instructions within email. For example, “Hover over the ‘Resources’ menu and select ‘Awareness, Education and Training’ to learn more about phishing.”
Consider the Source
- When conducting Penn State business, use your Penn State email address. Emails coming from an external source (such as gmail or Yahoo! mail) may seem more suspicious.
Offer Contact Information
Offer follow-up contact information, including your direct email address and phone number, for users to contact if they have questions.