Every time you connect to the internet, cybercriminals could be targeting you. One of their favorite methods is email phishing. So, the Division of Technology and Security used this fact as a learning opportunity for campus.

Phishing is a form of cybercrime that involves using emails to trick people into following a link, opening an attachment or replying to the email. Doing so allows a virus to enter your computer, and replying could disclose personal information to the wrong person.

Other South Dakota Board of Regents schools send out a fake phishing email about once a year, but this was the first time SDSU participated in the test. On Jan. 2 SDSU’s Division of Technology and Security sent out the fake email.

“The phishing email sent from campus asked employees to update their information as it relates to the W-2,” said Ryan Knutson, the Assistant Vice President of technology.

The email informed faculty and staff that have to click on a link in order to successfully complete their W2 form. Although the email looked real, there was one spelling error that should have alarmed the recipients.

When the majority of the recipients interacted with the email, SDSU decided it was time to up its cybersecurity game and educate its staff about the dangers of phishing and how to avoid getting hooked.

“If someone was ‘phished’ we used that as a teaching opportunity,” said communications network analyst Mavhu Chidaushe.

A second email was sent to those who failed the test. This follow-up email contained information about phishing emails and how to detect them. Spelling and grammar errors in the body of the text, links or attached documents, and urgent “calls to action” are key indicators of phishing emails.

The phishing email was sent to students a few days later from a fake student account, Ashley Mielke, saying that OneDrive documents were shared. If students clicked on the link, they were taken to a fake OneDrive portal that had a sign-in box.

However, cybercriminals are constantly getting sneakier and better at their jobs. They replicate email format and include information about current events involved with that university or company to convince you that the email is real. Nonetheless, minor differences can still be distinguished upon close inspection with proper training.

Some recipients were able to dodge a bullet as word of the test email spread quickly around campus. Junior political science and communication studies double major Allyson Monson said, “My roommate just noted that a fake email was going around. I told them about an email I received and they told me that was the fake one.”

Like Monson and her roommates, SDSU is working with the other South Dakota Board of Regents schools to improve cybersecurity by notifying each other when a phishing email is detected.

“The end goal is to collectively help each other identify these types of emails,” Chidaushe said. “If we don’t educate our faculty and staff, someone will send a phishing email for real.”

Another step being taken to improve cybersecurity at SDSU is switching to a two-factor authentication system. The typical username-and-password is one factor. A second factor, usually a code sent to only the user’s device or a security question only the user would know, adds a second layer of security.

According to Knutson, “The two-factor authentication software is in the final steps of purchasing and at that point, we will start the process of figuring out how it will be implemented here. We will be in full two-factor authentication by no later than Fall 2019 however it could be sooner than that.”