Every day about 10,000 scam emails hit the Dartmouth system. Most of these “phishing” attempts are caught by security filters and tagged as spam. But a fraction squeeze by and wind up lurking in inboxes, hoping to steal whatever they’re after—often money, credit card or bank account information, and intellectual property. An online tournament created by Information, Technology, and Consulting and students from the DALI Lab aims to help users identify these slippery phish, and have fun in the process.
GoPhish runs from March 29 through April 15, and employees and students alike can compete for dozens of prizes, including a MacBook Air, Samsung Galaxy Chromebook, and gift cards. Registration will stay open through the end of the contest.
The most recent collaboration between ITC and DALI, the tournament represents an important step in helping community members take their understanding of online security to the next level, says Mitchel Davis, vice president of ITC and chief information officer. “Thanks to the staff and students’ hard work and creativity, participants will be better equipped to protect themselves from potentially damaging phishing attacks.”
Sam Cavallaro, director of Student and Academic Systems, says the tournament is timely.
Last month, a number of security publications reported that phishing is now the most common form of cyberattack, says Cavallaro, whose team worked with the DALI students on the project. “It’s a huge problem.”
To gauge the need for education about phishing, which is also done through texts and phone calls, the DALI team surveyed Dartmouth students, faculty, and staff; 80% of the respondents said they had encountered or fallen prey to phishing attempts. That data helped shape the upcoming tournament, which started out as a training idea and was later transformed into a contest, at Davis’ suggestion.
The tournament includes quizzes and fake phishing emails sent by the IT Security team that highlight the tactics cybercriminals use to lure in victims. It also urges community members to forward suspicious emails to ITC at firstname.lastname@example.org.
If it’s an attack, multiple people across the college may be getting the same email, says Catherine Porter, an academic applications developer who worked on the project. In that case, security staff can use filters to block it.
Emma Kallman ’22, the project manager, says that when it comes to identifying phish, phrasing can be a tipoff.
She’s received messages complimenting her for having good grades and inviting her to work on a certain project, says Kallman, who is taking a gap year and plans to study engineering when she returns to Dartmouth this fall. But then they’re “also full of really weird grammar.”
Tim Tregubov, DALI director and co-founder, says students often receive phishing emails claiming to be from a professor. The message says they’re in a meeting and asks the student to buy them a gift card, Tregubov says. “People fall for it.”
While phishing attempts often succeed by exploiting someone’s instinct to be helpful, or offering something they want, such as a job, time—or the lack of it—is also a factor.
“People are doing a lot of multitasking, and they’re reading a lot of emails. A lot of times it’s just human nature to react before you think,” says Cavallaro. He and his colleagues hope the contest will help safeguard the community by putting “a little check valve” in participants’ minds, so that scanning emails for scams becomes second nature.
So far, so good. By March 22, at least 696 people had signed up.
In addition to ITC and DALI, sponsors include the Dartmouth Computer Store, the Office of Information Technology at Tuck, the Office of Student Affairs, the Tuck Center for Digital Strategies, and Ramunto’s Brick and Brew Pizza in Hanover.
Aimee Minbiole can be reached at email@example.com.