To educate students on the threat of phishing emails, Ohio State’s IT Risk management office started a campaign Jan. 31 that sent fake, university-produced phishing emails to see how many students fell for the emails. Credit: Jack Westerheide | Photo Editor

No one likes getting duped. Feeling like a fool is almost as bad as having your identity stolen.

Ohio State figures it is better to have a few students get duped by its educational, faux phishing emails than to have their information stolen by actual hackers.

In an effort to educate students on the threat phishing emails pose, the IT Risk management office started a campaign Jan. 31 that sent fake, university-produced phishing emails from phony, sometimes humorous, email addresses to see how many students fell for the emails.

Phishing emails are a strategy used by hackers who send emails from what appears to be a trusted entity, such as Ohio State, in an attempt to gather sensitive information from the recipient.

The sensitive information can range from usernames and passwords to Social Security numbers and bank information — all of which Ohio State possesses for tens of thousands of students and staff.

For the individual student, your identity is so critical. It’s really the loss of identity is what’s driving us to educate our students. It’s privacy, it’s identity, it’s who you are. Once the attacker has that information, they can use that against you. —Gary Clark, Ohio State’s information risk management director

Ohio State might have more information on individuals associated with the university than virtually any other entity — even banks.

“For the individual student, your identity is so critical,” said Gary Clark, Ohio State’s information risk management director. “It’s really the loss of identity is what’s driving us to educate our students. It’s privacy, it’s identity, it’s who you are. Once the attacker has that information, they can use that against you.”

Becky Mayse, a security analyst lead in the IT risk management office, said phishing emails are the No.1 cause of data breaches, adding that the widespread Target data breach that released sensitive bank information of thousands of customers in 2013 was caused by phishing emails.

Of the thousands of emails sent to all students that contained unverified links meant to trick recipients, almost 19 percent were clicked on, Mayse said, a significant rate that shows firsthand the threat phishing emails pose to the Ohio State community.

Neither Mayse nor Clark said how many students clicked on the emails, noting the 19 percent does not account for students who might have clicked on links from more than one email.

But with almost 60,000 undergraduate students on the Columbus campus alone, it’s safe to say more than 10,000 of them fell for a phishing email sent by the university.

When the link was clicked, it led email users to an informational screen set up by IT Risk management that highlighted the risks of phony emails and ways to spot them.

Subject lines ranging from student-employee information updates to changes in financial aid coverage can fool even vigilant students.

Mayse said the goal of the emails is to educate students, not trick them. She said it shows them the risks associated with clicking on untrustworthy links from unverified senders.

“We actually frequently see phishing emails coming into our environment being reported that are far more sophisticated as an attack than what we send,” Mayse said. “Our phishing emails are relatively easy to spot and are designed to help the user identify how to spot these emails.”

Clark was unable to say how many students have had their identities stolen from phishing emails, but did say the emails his office sends are designed to emulate those sent by hackers that have been successful in stealing someone’s identity.

Ohio State has a reporting center for students who think they might have received phishing emails. Possible threats can be sent to [email protected].