Most Pitt employees don’t fall for fake phishing test


For a year, ending last Thanksgiving, Pitt’s staff and faculty have been receiving fake phishing emails as part of a University effort to see just how many people would be enticed to click on the links or provide personal information when they shouldn’t.

Had these emails been part of a real phishing attack, the links might have invited malware to enter Pitt’s computer network or gathered employees’ Social Security numbers or log-in credentials as a way to hack into University data.

The latest fake phishing email, sent to 12,851 people here, drew an encouraging response, said Chief Information Officer Jinx Walton — or, more to the point, an encouraging nonresponse. More than half the recipients (7,872, or 61.3 percent) did not even open the suspect and unwanted email, while another quarter (2,980, 23.2 percent) opened it but did not click on any of its links. Nearly 750 people (5.7 percent) reported this email to Computing Services and Systems Development (CSSD).

While 852 people (6.6 percent) clicked on the email’s link without submitting any of the personal data it requested, another 405 (3.2 percent) not only clicked there but gave the phishers the data they requested.

Walton — who recently announced her retirement, effective in February — is nonetheless encouraged by the campaign’s results. She reports that, when the fake phishing emails were first sent, 33 percent of people clicked on a link within them.

These fake phishing emails have been an educational effort as well, she said, since the real phishing emailers continue to drop bait in our waters. In November 2018 alone — what Walton termed a typical month — Pitt’s security systems blocked 13.5 million spam messages and 9,645 malware programs from reaching the email inboxes of Pitt’s staff, faculty and students. And some still got through: Last year, Pitt employees reported 1,349 potential phishing emails to (only 20 percent proved to be phishing scams; the rest were plain old spam).

Since June 2018, according to CSSD, real phishing attacks have pretended to possess your stolen password and hold your data at ransom. They have tempted you to make an online purchase or bank transfer, renew an expired library account, or click on notices about your paycheck.

Two years ago, Walton said, 22 Pitt employees provided information to a phishing email that would have allowed the direct deposit of their paycheck to be diverted to a scammer.

“We caught it in time,” she said, “but the people who are sending these phishing scams are getting more sophisticated.”

Penn State recently ran a phishing test that got way too many people to respond, she reported, with a simple, “We caught you going through a red light” message, supposedly from campus police.

“Not only is there more activity in compromising accounts through phishing scams (worldwide),” she said, “I believe we’re becoming desensitized to it. People still need to be concerned about clicking on websites.” And, she added, “you should never provide any personal information via email.”

Spearphishers — those who specialize in targeting individuals instead of sending mass mailings — track changes in Pitt’s website and, when Pitt has made any visible changes, send their own fake notices: As you know, we are changing our sign-in. Send your new credentials here.

While Walton and her colleagues are loath to describe specific security methods in detail — “You invite hackers,” Walton believes — she assures that the University has multiple layers of security, not relying on any one system to do the job.

Although University researchers have not been a particular object of hacker attacks, Joel Garmon, Pitt’s chief information security officer, said being a large research university makes Pitt a tempting target. He noted that CSSD has three people dedicated to making certain Pitt researchers have worthy security for their data.

Actions everyone can take

Garmon said the University will roll out a more direct anti-phishing education program in the first quarter of this year to let staff and faculty know how to identify and deal with phishing emails.

In the meantime, Garmon said, he hopes Pitt employees will take a few steps to keep potential hackers in line.

  1. Windows users should take a look at their computer’s Resource Monitor (Mac users have a similar utility, Activity Monitor), which shows how much of your machine’s CPU and memory you are using at the moment. Comparing a baseline reading to the activity while on various websites, you may see unusually high usage as a sign of a potential hack in progress and quickly close the suspicious website or restart your computer altogether, he says. “If I could get everybody to do that, I’d be happy,” he said.
  2. Keep computers patched by downloading those pesky updates, both at work and at home.
  3. Run a malware protection program.

“One of the big vectors on how people get in is through mobile devices,” Garmon said. “The bad guys love hacking your phone.”

If a newly installed app or game is asking for permission to access a bunch of data or connect with a large number of data points, such as your location, “you don’t need to get that — it’s definitely doing bad things,” he said.

For the immediate future, Pitt is moving to a new firewall system, “providing significantly more features and functionality than we had with the older one,” Garmon said. Asked for more specific information, Garmon replied: “I’m a security guy — I don’t like talking about details. But we’re going to give people better access to their data because new firewalls are in place.

“Many times people look at us as a roadblock,” he said. “In their short-term view, they just want to get things done. For our point of view, we want to stay off the front page of the Wall Street Journal.”

Marty Levine is a writer for the University Times. Reach him at or 412-758-4859.