When it comes to avoiding phishing emails, the University of Oregon's cybersecurity experts say: Keep up the good work, Ducks!

The Information Security Office has observed positive trends over the course of its simulated email phishing educational campaigns, which launched for employees during the 2021-22 academic year and for students the following year.

A key measure of UO's detection skill is whether people try to click links or download attachments in an imitation phishing message after viewing it.

During the baseline assessment in early 2022, 40 percent of the simulated phishing emails that employees opened were also clicked. By spring 2024, that number was down to 19 percent for the same cohort of users.

"I want to commend everyone for building these skills," said José Domínguez, chief information security officer. "We're on the right track, and now we need to keep it up. We can't let down our guard."

A phishing scam attempts to trick you into sharing sensitive information with a cybercriminal, who can then steal money, identities or intellectual property, or gain unauthorized access to UO systems and data.

Cybercriminals often target universities at the start of terms and during breaks, when people's routines are disrupted. The fall surge of phishing emails typically starts in August, when semester schools start, as the UO saw in 2023 and past years.

Simulated phishing emails help people learn to steer clear of such scams. The simulations mimic real phishing attacks that ask for passwords or entice the reader to click a link. However, unlike in real phishing scams, clicking on one of UO's simulated phishing emails will simply lead the recipient to an explanatory webpage.

The Information Security Office plans to conduct at least two such campaigns per year.

"Every campaign is different, so we can't quite compare apples to apples here," Domínguez said. "However, the significant drop in clicks in the last two years does suggest fewer people will become victims when they encounter real phishing attacks."

Phishing — whether by email, phone call, text or chat message — continues to pose significant risks to cybersecurity.

Although the university stops or subverts about 98.2 percent of the malicious emails that enter its systems, Domínguez urged everyone to remain vigilant.

"We are asking for your help with the 1.8 percent of messages that are not immediately detected," he said.

Trainings available

To hone your skills, take a 15-minute phishing awareness training.

UO employees, including graduate employees and student employees, can also take the 20-minute UO Cybersecurity Basics training to learn more about protecting accounts and devices.

How to protect yourself

When in doubt about a message, UO community members can:

• Check the recently revamped UO Phish Tank to see if the message has already been identified as malicious by the Information Security Office.
• Report suspicious emails through the Report Phish button in Outlook or forward them to phishing@uoregon.edu.
• Contact the Technology Service Desk or the IT staff who support their unit.

The Information Security Office offers the following tips for staying safe from phishing messages:

• Beware of tantalizing offers. If it seems too good to be true, it probably is.
• Don't click links in suspicious messages.
• Don’t share confidential information, yours or the university's.
• Beware of attachments. To avoid malicious software, or malware, delete any message with an attachment unless you're expecting it and are absolutely certain it's legitimate.
• Be wary of suspicious emails from UO accounts. Cybercriminals often distribute phishing messages from accounts they've compromised.
• Confirm identities. Cybercriminals often impersonate schools, financial institutions, health authorities, retailers and a range of other service providers by using official-looking logos and similar email addresses and URLs.

In addition:

• Deny unexpected Duo requests. If you receive a Duo verification request when you're not logging into a Duo-protected UO service, tap "I'm not logging in" in the Duo Mobile app or 9 on a Duo phone call. Then confirm the login was suspicious to alert UO staff.
• Keep your computer and other devices up to date. Those software and system updates often fix security gaps.

Information Services offers more tips to help determine if a suspicious email is malicious. The Federal Trade Commission offers additional tips.

If you’ve responded to phishing

Anyone who has responded to a suspicious email should immediately contact phishing@uoregon.edu and then consider the following next steps, depending on the situation:

• Entered Duck ID and password on a fake website? Go to Duck ID Account Management, change your password and revise security questions and answers.
• Entered UO ID number, also known as a 95 number, and corresponding password, or PAC, on a fake DuckWeb site? Go to DuckWeb, change the PAC and verify that no important information has been changed.
• Believe you're the victim of an online crime, such as identity theft? Report it to the UO Police Department at 541-346-2919 or online, no matter how minor it may seem. Identity theft happens when someone steals your personal information, such as your Social Security number, and uses it to obtain credit cards or loans or commit another form of fraud in your name.

To protect phishing victims, the Information Security Office will temporarily disable the account of anyone who has clicked a malicious link and potentially entered their credentials. To restore account access, users should contact the Technology Service Desk by phone at 541-346-4357 or by live chat.

—By Nancy Novitski, University Communications