As we hear all too often in the news, cybercriminals are targeting both individuals and organizations to steal information that can lead to the loss of valuable information as well as inflict reputational damage. We all are at risk, not just at work, but in our personal lives as well. To help prevent issues and raise awareness, we occasionally conduct simulated phishing campaigns within the CUIMC community.

Phishing is the most common social engineering attack.  Usually, phishing emails try to trick you into giving up your password or running a malicious attachment. This attack has proven to be very effective against users across the Internet, and CUIMC is no exception. The CUIMC Information Security Office has responded to numerous attacks, some of which have resulted in departments temporarily or permanently losing access to data. 

Across the organization we have seen many variations of phishing emails, which often include:

• Links to sites that are made to resemble our official Columbia websites
• Malicious email attachments often disguised as invoices or other important documents
• Email addresses made to resemble those of trusted and high-ranking members of the University

We are constantly working to reduce the attack surface within our organization. However, reducing the success rate of phishing campaigns requires the community - our community - to work together in order to identify and disrupt them before they gain traction.

How a simulated campaign works:

Simulated phishing emails are sent to mimic real-world scenarios, using our logos and names to trick users into believing the emails are legitimate. Clicking on a link within the simulated phishing email redirects the end-user to a brief training module.

Our specific goals are:

1. To help you identify and avoid phishing attacks
2. To make sure you understand the risk this threat poses to you and CUIMC as a whole

These are tests and there is no harm done in the process. Some simulations include entering a password; if you did so please use myPassword to change to a new password for your MC/CUIMC email account: https://mypassword.cumc.columbia.edu. Simulations do not store or transmit passwords entered, but we strongly recommend using and being familiar with myPassword.

As a reminder:

• Be vigilant, especially with messages marked as External
• Don’t open documents/spreadsheets from sources you don’t recognize
• Don’t click strange links, even from trusted sources
• Never respond to an email requesting your credentials, or enter your credentials if prompted by a link to an unrecognized portal
• Report spam, phishing, or suspicious emails to spam-abuse@cumc.columbia.edu

Information Security Links

Don't Get Hooked - Recognize and Avoid Phishing Attacks
Recent Phishing Examples at CUIMC
Columbia - Latest Phishing Email Alerts (Note that links for Columbia spam filtering and email support may not apply to CUIMC)