UTA students are used to finding email scams in their inboxes, but not ones sent by the UT System.
Last week faculty and staff, including student employees, began noticing phishing simulation emails in their UTA inboxes. The emails were part of a phishing exercise the UT System conducted in all its universities to measure individual user responses to phishing attacks.
In all, the UT System sent these emails to about 8,000 email addresses at UTA.
According to previous reporting by The Shorthorn, UTA’s security systems detected 26,208 phishing messages during one week in 2019, with 1,039 of those reported by users.
Lee Pierce, OIT continuous improvement director, said the exercise was designed to see what users would do when they receive phishing attempts. The UT System sent the emails out over a period of two days, from about April 19 to April 21, he said.
Users who clicked the links in the simulated phishing emails were redirected to a page informing them it was part of a test. The links also recorded who clicked through and ‘fell’ for the simulated phishing attempt, he said.
Nursing freshman Patricia Beatrice Palmis said she checked her email and found a message from the Department of Motor Vehicles that said she had a speeding ticket.
“I got kind of scared because I do speed a little bit, so it was kind of tailored to me,” Palmis said.
She clicked the link in the email and it brought her to a page that said it was a simulation by UTA.
Palmis posted a screenshot of the email to her resident hall group chat and found a fellow student employee had also seen a similar email.
Nursing sophomore Sarah Esayas got an email that looked like an order confirmation from Amazon for an item she hadn’t purchased. She clicked the order number to cancel it, and that’s when she saw it was a simulation.
“I thought it was really effective, especially since it was a simulation and having students experience that and looked so real,” Esayas said. “I thought that was a really effective way to teach students not to trust all emails.”
The UT System asked for UTA to allow these messages to bypass the regular security measures, which may have blocked them otherwise, Pierce said. This did not interfere with normal security methods, he said.
When the test was done and those specific messages were no longer marked exceptions, Microsoft Defender blocked them because enough users had reported that the emails might be phishing, he said.
Esayas said she thinks sending a simulated phishing email every semester would be effective, particularly for new students.
In the first few months of her freshman year, Esayas fell for a phishing email, she said.
“As a freshman, I thought every single email I got was real and that nothing fake ever reached my student email,” she said.