In a statement, OHSU said it made a ‘mistake’ by using the same language from a real phishing threat to test its employees’ susceptibility to cybersecurity threats.
PORTLAND, Ore. — For some employees at Oregon Health & Science University, an email sent by the university on April 12 offering up to $7,500 in financial assistance may have seemed like a lifeline.
The email read, in part: “In response to the current community hardship caused by the COVID-19 pandemic, Oregon Health & Science University has decided to assist all employees in getting through these difficult times.”
It turned out to be a fake phishing test, organized by OHSU to test its employees’ cybersecurity awareness and its own technology systems.
The attempt to educate employees about phishing threats caused frustration, with some saying it was harsh or “tone deaf.”
The email, sent from a “firstname.lastname@example.org” email address with a link to “register” for COVID-related benefits, was based on a real phishing attempt that was reported to OHSU leaders in March.
Last month, OHSU sent a message to employees warning about suspicious emails and online scams. Then this week, the university decided to test its own — sending out the fake phishing email with the exact same wording as the previous scam, offering potential money for employees in need.
In a statement, OHSU said its focus was too narrow and the university didn’t fully consider the harm it could cause:
“First and foremost, we want to sincerely apologize to the OHSU community. This week, as part of OHSU’s regular exercises to help members practice spotting suspicious e-mails, the language in the test e-mail was taken verbatim from an actual phishing e-mail to ensure no one else fell for the scam. That was a mistake. The real scam was insensitive and exploitive of OHSU members — and the attempt to educate members felt the same way, causing confusion and concern.”
University spokesperson Sara Hottman said email scams are the largest threat to OHSU technology systems and so “this phishing exercise was focused on the effectiveness of the real scam.”
Hottman added that OHSU will “learn from this event and implement preventative measures to keep a similar incident from happening in the future.”
Original Source link