Phishing Prevention

Throughout my career as both a student and an IT Manager I have noticed a significant problem in both the world of cybersecurity and the University of South Carolina- Phishing. My GLD pathway of Research in cybersecurity has led me to further investigate this issue and propose a solution to reduce its effectiveness.

While working as an IT Manager at the College of Engineering and Computing, I have learned about the importance of cybersecurity. I came to understand that one of the greatest threats to organizations, everyday people, and even our own student body and faculty is phishing. Phishing is a type of cybersecurity attack that involves social engineering through email. The goal of phishing is to gain credentials, financial information, and or valuable data. This may seem like an insignificant loss for a large corporation- only one person is exposed, right? Yet, one simple phish attempt can single-handedly bring down an entire organization in a matter of seconds. Take the Nordea Bank incident, for example. The Swedish bank lost 7 million kronor (almost $1 million USD when adjusted for inflation) after a successful phishing attempt snagged login credentials. See bottom of page for source.

A phishing email usually has key factors that lead the victim to reasonably believing that it is a valid email. Attackers could sneakily change sender addresses and links to be very similar to the real ones. bestbuy.co and bestbuy.com, and no-reply@havard.edu and no-reply@harvard.edu are not the same. This same technique was practiced against the CEC just a few months ago. [Fig. 1]

Emails that include the names of people you may recognize are easy to fall for. If they say they're your IT department they must be, right? Just a few months ago there was an email sent to all CEC users claiming that they were a specific employee from the help desk. [Fig. 2]

Using relevant information or needs is a clever tactic, as seen in the example below [Fig. 3]. The university is always obtaining grands and funds, and as a professor it would be likely to receive a document with a title like “2022-2023 Grants and Funds Management Docs”.

**Figure 1.** An example phishing attempt appears to be the service desk, claiming that your account settings are out of date.

**Figure 2.** An example phish attempt from last Fall claiming to be a specific employee (name redacted for security purposes)

**Figure 3.** An example phish attempt from last Fall claiming to be a specific employee (name redacted for security purposes)

So how do we prevent this sort of attack? No solution is one-hundred percent effective, but I feel that I have a solid mitigation strategy. In my key insight, IT Management, I explained the importance of the business's goal. The last thing that a company needs is a breach of their data or even worse, a complete loss. I believe that investing in the cost of training employees would be a solid return on investment when you consider the consequences of a successful phishing attack.

Specific Implementation:

The effectiveness of this plan would be measured by tracking provided reports by employees and analyzing the statistics each year. The Bi-annual trainings could be adjusted or fine-tuned towards trending phishing attempts. The security team at DoIT could hold meetings dedicated to current trends in phishing in the news.

As I have covered throughout my key insights, information security is a crucial component to successful organizations. The goal of this implementation is to further implement this concept and protect the University from those with malicious intent. This is one of the main purposes of my GLD Pathway in Research. I plan to continue researching and observing security trends such as these throughout my academic and professional career.

Sources: Nordea Bank Incident