The Past, Present, and Future of Stanford’s Phishing Awareness Program
Have you ever wondered if an email you just received is a phishing scam? Have you wondered what to do?
Tad Perillo, senior information security officer with Stanford University IT, leads the Phishing Awareness Program. He recently took time to share with us how the program prepares our Stanford community to recognize and report phishing emails.
Dive into the past
When did the Phishing Awareness Program start and what was the goal?
Our Information Security Office (ISO) started the Phishing Awareness Program in 2016. The goal has always been to help our Stanford community protect themselves and the university by learning to recognize malicious emails. We do this through phishing simulation emails, awareness communications, and training opportunities.
How have phishing simulation emails evolved since the program started?
When the program was initiated, we partnered with Cofense PhishMe for sending out phishing awareness emails. This enabled us to observe trends and enhance our community's awareness. Recently, we transitioned to the Proofpoint Security Awareness Training (PSAT) platform for sending simulation emails. PSAT offers numerous advantages, including better integration with our email protection systems.
For email recipients, the transition to the PSAT platform would not result in any significant changes in the appearance or content of the emails. However, we did make an update to the Phish Reporter button when we switched to PSAT, ensuring a smoother user experience and improved functionality.
Paddle up to the present
What kinds of communications and training does the program include?
Why does the program use email simulations?
While email simulations are only a part of the program’s overall effort, we have found that it is an effective way to provide realistic training and offer continuous reinforcement. Over recent years, the average click rate on the program emails has moved from 20% to closer to 4%, which indicates increased vigilance throughout our audience.
What should I do if I get an email that I think is part of this program?
You should always report suspicious emails. We prefer if you use the Report Phishing button, but you can also forward the suspicious emails to firstname.lastname@example.org. Reporting helps protect the Stanford community in the case of a real attack, and it helps us know how well our community can recognize a phish in the case of an email simulation.
What should I do if I click a link in a phishing simulation? Will my peers or manager find out?
Our program is completely confidential. The only person with access to results is me, and I do not reveal individual results to anyone, not even to our chief Information security officer. I do sometimes provide aggregate information about the program’s results, only for the purpose of improving our efforts and outcomes.
If you click on a link, you might be provided with relevant learning content. Be sure to review the recommended learning, to better recognize a phish next time.
Reel in the future
What is the future of this program?
Right now, we send out simulation emails to Stanford University faculty and staff (not including employees at SLAC and the hospitals). In the future, we will be looking to expand to students.
Since the program launched, our click rates have decreased significantly, which is a great indicator of increased awareness. However, as new tactics emerge, we will continue to adapt and engage with our Stanford community.
How can we learn to stay safe from phishing scams?
I always keep in mind that no one is invulnerable from scams. My most important learning is not to react, but always take time to reflect on the email/SMS/phone call before responding. I look out for strong emotions such as fear, greed, desire to please, and sense of urgency. When in doubt, I don’t respond.
And, of course, we always recommend reviewing the information, training, and resources available at phishing.stanford.edu.