Stanford Should Phish its Employees and Students

Nov. 18, 2013, 2:36 a.m.

Who remembers Stanford’s most recent attempt at training all of us to be more conscious about Internet security? Yeah, me neither. All I remember is that they made me watch some videos, but I don’t remember liking it and I have no idea at this point what I learned. I also haven’t heard of a single person who is happy with the new two-step authentication system, despite Stanford’s promises that it will make us all safer.

As much as I think the University’s recent attempts to force us to be more security aware have been misguided, it’s important that we all recognize the threat that Stanford is trying to prepare us for: cyber crime.

Cyber crime has been a huge problem in the last decade, and by now I’m sure all of us are starting to become desensitized to the news that big companies like Adobe are being hacked and are losing private information about their consumers, which I’m sure even includes some of us here at Stanford. Don’t become desensitized. All of us can do our part to stop this trend.

The fact is that 91 percent of all targeted attacks involve a specific kind of social engineering called “spear phishing,” which is just a more targeted, believable form of phishing. That means that yes, believe it or not, the vast majority of hacking attempts on large companies or organizations like Stanford start with a single, believable phishing attempt and even just a few people compromising their own computers or accidentally giving up their credentials.

If you’re a computer science major like me, you know what I’m talking about — the CS Department at Stanford has been the target of several spear phishing attempts in just the last few months. I’ll even admit to almost clicking on a few of them.

Stanford could have the most foolproof security systems in the world, but, at the end of the day, the weakest links are people like you and me. A thief doesn’t climb in through the window on the 50th story of a building if he can find somebody to leave the front door unlocked.

I’m here to offer an alternative to what Stanford is doing now — one that’s been shown to work by at least one Fortune 500 company: Let’s spend more time phishing ourselves. Much like fire drills give us a vague idea of what to do if somebody burns their popcorn in the microwave at 2 a.m. the day before an exam (*sigh*), if Stanford sent us regular emails that were intended to trick us and train us to properly identify elaborate phishing attacks, we would become more prepared and less gullible.

The beauty of it, though, is that those of us who are already pretty good at differentiating between the elaborate scams and the real deal (it’s getting harder and harder these days) don’t have to be targeted for additional training. At the same time, those of us who do fall for a “phishing drill,” particularly if the attempt is put together really well, will be much more receptive to learning how we can make sure we aren’t deceived in the future.

When this same training scheme was used at an anonymous Fortune 500 company in an experiment by Wombat Security Technologies, the first time a fake phishing email was sent out, 34 percent of employees fell for it. After training those who fell for the scam, less than 6 percent of employees fell for the phishing email the next time. That’s an 84-percent improvement. I’m no math major, but that is a big deal.

Even if all we’re doing is reminding people that these threats exist and we should all stay vigilant, phishing ourselves will make people less likely to fall for elaborate traps. Maybe this makes us all a little bit safer the next time an attack targets us personally instead of Stanford. And maybe, just maybe, this can make the University a safer place for everyone without intruding too much on each of our personal lives. Just food for thought.

Daniel Chiu, Class of 2015, is a B.S./M.S. candidate in computer science and can be contacted at [email protected]

The Daily is committed to publishing a diversity of op-eds and letters to the editor. We’d love to hear your thoughts. Email letters to the editor to eic ‘at’ stanforddaily.com and op-ed submissions to opinions ‘at’ stanforddaily.com.

Login or create an account