Throughout my career as both a student and an IT Manager I have noticed a significant problem in both the world of cybersecurity
and the University of South Carolina- Phishing. My GLD pathway of Research in cybersecurity has led me to further investigate
this issue and propose a solution to reduce its effectiveness.
While working as an IT Manager at the College of Engineering and Computing, I have learned about the importance of cybersecurity.
I came to understand that one of the greatest threats to organizations, everyday people, and even our own student body and faculty is phishing.
Phishing is a type of cybersecurity attack that involves social engineering through email. The goal of phishing is to gain credentials,
financial information, and or valuable data. This may seem like an insignificant loss for a large corporation- only one person is exposed,
right? Yet, one simple phish attempt can single-handedly bring down an entire organization in a matter of seconds. Take the Nordea Bank incident,
for example. The Swedish bank lost 7 million kronor (almost $1 million USD when adjusted for inflation) after a successful phishing attempt snagged
login credentials. See bottom of page for source.
A phishing email usually has key factors that lead the victim to reasonably believing that it is a valid email. Attackers could sneakily change sender
addresses and links to be very similar to the real ones. bestbuy.co and bestbuy.com, and email@example.com and firstname.lastname@example.org are not the same.
This same technique was practiced against the CEC just a few months ago. [Fig. 1]
Emails that include the names of people you may recognize are easy to fall for.
If they say they're your IT department they must be, right? Just a few months ago there
was an email sent to all CEC users claiming that they were a specific employee from the help desk. [Fig. 2]
Using relevant information or needs is a clever tactic, as seen in the example below [Fig. 3].
The university is always obtaining grands and funds, and as a professor it would be likely to receive
a document with a title like “2022-2023 Grants and Funds Management Docs”.
So how do we prevent this sort of attack? No solution is one-hundred percent effective,
but I feel that I have a solid mitigation strategy. In my key insight, IT Management,
I explained the importance of the business's goal. The last thing that a company needs is a breach of their data or even worse,
a complete loss. I believe that investing in the cost of training employees would be a solid return on investment when you consider
the consequences of a successful phishing attack.
The effectiveness of this plan would be measured by tracking provided reports by employees and analyzing the statistics each year.
The Bi-annual trainings could be adjusted or fine-tuned towards trending phishing attempts. The security team at DoIT could
hold meetings dedicated to current trends in phishing in the news.
As I have covered throughout my key insights, information security is a crucial component to successful organizations. The goal of this
implementation is to further implement this concept and protect the University from those with malicious intent. This is one of the main
purposes of my GLD Pathway in Research. I plan to continue researching and observing security trends such as these throughout my academic and professional career.