University of Denver
As cyberattacks grow among colleges and universities, institutional leaders are reimagining how they educate students and other campus community members on how to protect themselves online. Some have created cybersecurity festivals and art installations.
University of Denver officials thought outside the box and created unique incentives for students to engage in phishing training—involving dogs, event tickets and online quizzes.
What’s the need: Campus IT has the difficult job of protecting the university against cyberattacks and, despite best efforts to improve the security posture, there can still be vulnerabilities.
“We constantly improve our tools; we constantly deploy new tools,” says Marcelo Lew, director of cybersecurity operations at the University of Denver. “But even with the best tools in the world, it turns out that, really, awareness is one of the best tools that you can use.”
While students are often digital natives, they’re not always literate in cybersecurity or can be too trusting of the digital world, which means they can fall victim to cyberattacks, Lew explains.
A November 2022 Student Voice survey from Inside Higher Ed and College Pulse found more than half of students have reported receiving a phishing scam to their college email address and around a third have received an announcement about a cybersecurity incident or data breach at their college.
Denver IT has implemented phishing campaigns several times over the years, but they often took place as emails, which can fall into the same attention gaps as the phishing emails themselves.
“Students have a lot competing for their attention and their time, and that is another reason why they fall victim to these email attempts, because they are short on time,” explains Shira Good, co–interim vice chancellor for marketing and communications.
To better meet students where they are, DU created an in-person campaign that could provide fast and easy tools to help prevent phishing.
How it works: IT staff first approached the marketing and communications team about a phishing campaign in November 2022, and Catch a Phish launched in January and ran through March.
Communications staff sorted through their own spam emails to create material and designed a postcard to distribute with relevant information on how to identify a sketchy message.
DU identified nine aspects of an email students should evaluate to gauge if it’s trustworthy: logo quality, sender email address, generic greeting or lack thereof, a request for personal information, misleading URL hyperlinks, buttons with hyperlinks to unfamiliar webpages, spelling or grammar mistakes, unsolicited attachments, or a false sense of urgency in the message.
To engage students on campus, DU recruited help from a local rescue shelter, Colorado Saint Bernard Rescue, and dressed up dogs to be “phish” on campus. The marketing and communications team purchased fish costume hats for humans and had a seamstress alter them to fit dogs, resulting in a whole lot of cuteness.
Students who stopped to pet the dog-phish learned more about cybersecurity and had the opportunity to take a quiz and enter for a chance to win prizes, including Starbucks gift cards, university swag and two tickets to a fish-themed DU hockey game.
“We had a huge adoption rate in terms of people who took the quizzes, entered in for prizes, went and enjoyed the prizes,” Good says. The most popular prizes were tickets to events.
The impact: Through the campaign, university leaders learned the importance of making phishing relevant and engaging to the campus community to get buy-in. “Unless that’s your passion area, this is a very easy thing to ignore … to say, ‘This doesn’t really affect me,’” Good says. “And I think, hopefully, through this campaign, we help people see that actually, it is a big deal.”
DU leaders sent fake phishing emails to students prior to and after the campaign to compare the click rates. The first email had an click rate of 45 percent but after, only 5 percent of students clicked the emails.
The university-sent emails showed that, while students learned to identify and ignore phishing emails, they still have room to grow in reporting emails to the IT department. After the campaign, there was only a 2 percent growth in students who reported the phishing emails, so next year’s messaging will focus on the reporting process, Good says.
Even the dogs benefited from Catch a Phish; at last count four of the participating pups were adopted from the shelter.
In the future, DU is considering adding an orientation course around cybersecurity for incoming first-year students and hopes that the Department of Education’s push toward cybersecurity education in the K-12 space will promote a new generation skilled against phishing.
Get more content like this directly to your inbox every weekday morning. Subscribe here.