University criticised for using Ebola outbreak lure in phishing test

A phishing exercise conducted by the IT department of the University of California Santa Cruz (UCSC) has backfired, after causing unnecessary panic amongst students and staff.

On the morning of Sunday August 18 2024, an email was sent out by the University's IT team in what its Student Health Center described as an attempt to "remind the campus community about best cybersecurity practices and help prevent future phishing attempts".

However, the email did not describe how staff and students could better protect their online accounts by, say, adopting strong and unique passwords or enabling multi-factor authentication.

Instead, it falsely claimed that a staff member had tested positive with the Ebola virus, after returning from a trip to South Africa.

The email, which had the subject line "Emergency Notification: Ebola Virus Case on Campus," read as follows:

Within the email, individuals were advised that if they had been in close contact with the (unnamed) affected staff member it was "imperative" they take immediate action, and click on a link to a webpage where more information - it claimed - had been posted.

Of course, the email's claim that Ebola virus has been detected on campus was false, and anyone clicking on the link in the email was in reality at risk of handing over their login credentials to cybercriminals.

Although in this case the email wasn't a phishing campaign perpetrated by online crooks, but instead a "phishing test" orchestrated by UCSC's IT department based upon a real phishing email it had spotted a few weeks before.

Brian Hall, UCSC's chief information security officer, apologised for the incident, acknowledging that phishing simulation email was "not true and inappropriate" and that it potentially undermined trust in public health alerts.

Phishing simulation tests like this are intended to help people recognise and avoid real phishing attempts. But, Hall said that he realised "the topic chosen for this simulation caused concern and inadvertently perpetuated harmful information about South Africa."

The truth is that scammers can use very dirty tricks to fool unsuspecting users into clicking on dangerous links, and have no qualms about using underhand techniques to socially engineer their victims into handing over their sensitive credentials.

So it's understandable that some IT departments might feel very tempted to replicate these techniques when running a campaign to test how well users' are protecting themselves from falling for phishing attacks.

UCSC's IT department has, like other organisations before it, learnt the hard way that not every attempt to raise security awareness will be well received.