Security teams rely on email phishing tests to help educate their organization's end-users. But can the fraud simulations be a little too realistic for their own good?
This scenario played out last week at Oregon Health & Science University (OHSU) when the IT department sent an email to employees offering up to $7,500 in financial assistance.
Portland TV station KGW reported:
The email read, in part: "In response to the current community hardship caused by the COVID-19 pandemic, Oregon Health & Science University has decided to assist all employees in getting through these difficult times."
It turned out to be a fake phishing test, organized by OHSU to test its employees' cybersecurity awareness and its own technology systems.
The attempt to educate employees about phishing threats caused frustration, with some saying it was harsh or "tone deaf."
The email, sent from a "firstname.lastname@example.org" email address with a link to "register" for COVID-related benefits, was based on a real phishing attempt that was reported to OHSU leaders in March.
Last month, OHSU sent a message to employees warning about suspicious emails and online scams. Then this week, the university decided to test its own — sending out the fake phishing email with the exact same wording as the previous scam, offering potential money for employees in need.
In a statement, OHSU said its focus was too narrow and the university didn't fully consider the harm it could cause: