Simulated Phishing at Biola
May 13, 2019
As a part of our Information Security Program, Information Technology sends simulated phishing emails to all Biola employees.
What is simulated phishing?
Simulated phishing is when an organization sends fake phishing emails to employees for the sake of training personnel to identify phishing attacks.
At Biola, we use a simulated phishing tool called KnowBe4.
As a reminder, phishing emails are usually used by attackers to steal usernames and passwords. With KnowBe4, we don't steal your credentials. We don't even see them.
But we do monitor how likely people are to click on illegitimate links, and we measure the effectiveness of different types of phishing campaigns.
If you fall for it and click on a link in a simulated phishing email, you'll be redirected to a landing page that explains the various red flags that should have tipped you off. Here's an example:
Why are we using simulated phishing at Biola?
KnowBe4’s simulated phishing system accomplishes 3 things:
- It provides immediate training feedback when users click on something they shouldn’t in a simulated phishing email.
- It gathers statistical data that tells us what kind of training we need to provide for our employees.
- It equips our employees to recognize and thwart real phishing attacks.
Simulated phishing serves as a practical tool for training employees to remain alert to cyber threats.
Phishing continues to be the top information security threat facing businesses and educational institutions. Personally Identifiable Information (PII), money, and Biola’s reputation are all at risk when a user falls for a phishing attack.
The Phishing Alert Button
Along with simulated phishing, we've installed a Phish Alert Button (PAB) in Biola email accounts.
This button only appears for Chrome users. You must log in and sync Chrome with your Biola Google account to access the PAB.
For Chrome users, the button appears in the toolbar at the top of email messages.
When you suspect that a message might be a phishing attempt, you can click the button to alert IT.
What It Looks Like
The first time you sync Chrome with your Biola Google account, you will see a pop-up in Gmail from KnowBe4. This popup is a standard Google Apps permissions request:
Press Allow to activate the Phish Alert Button.
After allowing the PAB app, you will see the PAB as an orange fish hook within Gmail.
What happens when I click the PAB?
When you click the Phish Alert Button, you will see a prompt asking for confirmation:
When you click Report, the PAB will provide immediate feedback on whether or not the email was a simulated phishing message sent by Biola's Information Security team.
Note: The PAB will not tell you whether an email is safe or malicious, only whether or not it is simulated phishing.
If the email is a simulated phishing message, you will see a prompt congratulating you:
If the message is not simulated phishing, you will see a message thanking you for your report:
Then, Gmail will move the message into your Trash, and automatically forward the email message to the KnowBe4 system and Biola's InfoSec team.
If it turns out that the email was legitimate, you can recover the message from your trash for up to 30 days.