Students in Intro to Cybersecurity got a hands-on look at how easy it is to exploit technology—and the people who use it—when they were assigned the task of creating and sending mock phishing emails to faculty and staff.
It’s not every day that students get to trick faculty and administrators for class credit.
Yet that’s what happened in an Intro to Cybersecurity course taught by Kees Leune, Ph.D., assistant professor of computer science and mathematics and chief information security officer at Adelphi.
For an experiential learning Phish a Prof project, Dr. Leune challenged his 25 students to create a phishing email that could fool faculty and administrators into opening it or clicking a link.
Phishing emails are scams sent by cybercriminals trying to obtain personal information; organizations across the world have been targeted by them countless times. Every month, Adelphi’s office of information technology sends mock phishing emails, provided by a vendor, to faculty and administrators to train them on how to properly recognize and report such attacks. The emails are supposed to be deleted and reported to the IT Help Desk.
By inviting students to create these emails, Dr. Leune was able to give them a firsthand look at just how vulnerable systems are to cybercrime.
“The big lesson was to realize how easy it is for someone to come up with a message that looks real, but isn’t,” he says, “and how easy it is to not just exploit the technology, but to exploit the people using the technology.”
Students presented their email templates in class, where students voted for their favorite.
One student created a fake subpoena and criminal court brief, telling faculty members they’d been charged with a felony and that they must respond with certain information.
“They did it completely in the style of a court document so you’d recognize it as such,” Dr. Leune adds. “The students were very creative.”
The winning email was sent to Adelphi faculty and administrators that weekend.
The results showed that professors were not immune to cybercrime. Many opened the email and clicked on links because they did not recognize it as a phishing message. In fact, Dr. Leune says, the student template was more effective than the templates the vendor provides the IT Department.
Two students from the course expanded on this exercise for their senior projects. They’re each creating an automated system that can build follow-up emails based on how someone receives the first phishing email.
“So if a person keeps on recognizing something as a phishing message, those messages will become more and more advanced over time,” Dr. Leune says. “And, likewise, if someone keeps on failing to recognize a phishing message, the system will make them easier until they become able to recognize them.”
Dr. Leune also conducted the Phish a Prof experiment with first-year students in his Computer Science Orientation Seminar. They created phishing emails, too, with the winning template sent to Adelphi administrators and faculty.
It even tricked this article’s editor.
“The email appeared to come from Adelphi’s Help Desk ,” the embarrassed editor explains. “It seemed a little suspicious, but I checked the sender’s email address before clicking on the link. The problem was that I didn’t notice the extra ‘i’ in ‘@adelphii.edu.'”
This was a prime example of an effective phishing email.
“The goal was to help people at Adelphi recognize these fake emails by putting these markers in there,” Dr. Leune says. “The whole point was, can I make the emails good enough but not perfect?”
Leune looks forward to administering this project in future classes and sharing his experiential learning opportunity with more computer science students.
For further information, please contact:
Strategic Communications Director
p – 516.237.8634
e – email@example.com