Anti-phishing Message Feb 2018 Follow-up
Phishing is a common criminal scam to try to take over and monetize accounts and systems at our University. Along with many other Universities, Pepperdine ISO sends "live-fire" training messages from time to time to teach and reinforce phishing resistance skills. Research at CMU in the early 2000s has shown this type of training is the most effective in reducing susceptibility to these dangerous criminal scams.
On February 28, 2018 the Pepperdine Information Security Office sent out an anti-phishing training message. This message was modeled on a theme used by actual cybercriminals and used a fake CAS login landing page, as we have seen many times in real criminal campaigns. A randomly selected group of 1000 colleagues received the fake phishing message and 21.7 percent of them submitted data to the fake CAS page. Everyone who submitted data has been invited to take a new anti-phishing training class to learn more about how to spot and handle these scams.
The purpose of this web page is to explain the campaign and verify the email message that was sent out inviting the respondents to the class. If after reading the FAQ below you have questions, please call us at x4040.
Q. Is this invitation to the class another training message?
A. No it is not. The address of the anti-phishing class is at https://pepperdine.learnupon.com/ - go to that address and use the link at "Click here to login using your Pepperdine ID" to proceed to the course. Learnupon is Pepperdine HR contracted online teaching service.
Q. Why should I take this training?
A. To find out more about the criminal scams that are dangerous to those who live and work in a 21st Century environment.
Q. Am I in trouble?
A. No. This is training and we are an educational institution. Your name or email are not revealed to any supervisor or executive. Only the Information Security Office knows who was trained and how they interacted.
Q. Is this training mandatory?
A. No. You don't have to take the class and you can opt out of further training messages. IT has been told NOT to do mandatory Information Security training. If you don't want to receive further training emails, we ask you stow the request "please remove me from the anti-phishing training messages" by replying to the email inviting you to the class. We will remove you from the training group and from further anti-phishing training emails.
Q. I have some comments/questions about the class, where can I stow those?
A. Feedback is most welcome. Simply reply to your email inviting you to the class.
Q. Why are you sending these alarming messages? Aren't they a waste of time and energy?
A. While recognizing that this training alarms a few of our correspondents, we must emphasize that these same types of messages come from real cybercriminals from time to time and Pepperdine colleagues have a history of being susceptible to giving away their passwords or downloading a malicious file. This type of training is demonstrated effective in reducing risk and is widely used corporate workplaces and across Higher Education.