How not to conduct cyber awareness training: UCSC slammed for ‘tone deaf’ Ebola phishing tests

The University of California Santa Cruz (UCSC) has come under fire after it conducted phishing training using a fake Ebola virus track and trace alert.

Security experts have criticized the test after it caused panic on campus, forcing senior leaders at the university to come out and publicly acknowledge its error of judgment.

On 18 August 2024, UCSC’s IT department sent out a test email intended to teach students, faculty members, and other operation staff about the dangers of phishing attacks .

The email warned that a member of UCSC’s staff, who had recently returned from a trip to South Africa, had contracted the Ebola virus. The message claimed to be part of the organization’s contact tracing system , looking to identify and inform those who may have been in close contact with the affected staff member.

It also contained links to a fake webpage purported to have been set up to support individuals affected by the ‘outbreak’, including the necessary steps to take if they were exposed.

The message was allegedly based on a real phishing email caught by the IT department some weeks earlier, according to the webpage dedicated to providing an up-to-date list of the latest phishing attacks targeting community members.

Chaos ensued with many people taking to social media in an effort to confirm if the warning was legitimate or not.

The confusion prompted Brian Hall, CISO at USCS, to make a public statement acknowledging the messages were not authentic and were part of the organization’s security training initiatives .

He noted the content of the messages was “inappropriate” for training purposes and apologized for any confusion sparked by the emails.

Cyber awareness training is not about “us vs them”

Javvad Malik, lead security awareness advocate at KnowBe4 , outlined where USCS’s IT department went wrong, stating that trying to perfectly mimic real social engineering campaigns misses the point of these training exercises.

“Simulated phishing is not about catching people out like a cat playing with a mouse. It's about reinforcing the training they've received. The goal is to create a learning experience, not a panic attack,” he explained.

“When it comes to choosing topics for these simulations, it's crucial to avoid the ones that are going to make enemies. Yes, it's true that bad actors will use controversial topics, but if we teach people how to spot the telltale signs of social engineering , they won't need to rely on organizations using such tactics themselves.

Malik said while designing training exercises using previously observed attacks is not necessarily a bad idea, they need to be part of a more holistic approach to be effective.

An overview of 2023's threat landscape

“That's not to say that such templates are always bad. But before sending them out, the groundwork should be laid and relationships built between the security team and the organization . Let them know why these types of simulated phishing emails are going out and the purpose of them,” he advised.

“And when someone does the right thing, they should be publicly praised.”

Malik concluded that IT staff conducting cyber awareness training need to be conscious of the fact that exercises like this need to be constructive, in order to encourage individuals to engage with their organization’s security culture, rather than shy away from their responsibilities.

“At the end of the day it's about empathy, the security team running these simulations should put themselves in the recipient's shoes. Will they feel like they've learned something valuable, or will they feel like they've been set up for a fall? If it's the latter, it's time to go back to the drawing board,” he argued.

“Organizations should focus on creating a positive, engaging learning experience that brings people together to build a stronger security culture in the fight against cyber threats.”