This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.

The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."

The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.

The simulated attack was similar to an actual phishing message sent on August 1, 2024, as shown on the UCSC Phish Bowl, a collection of real and test phishing attempts.

But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.

In that, it succeeded. The message prompted the UCSC Student Health Center to publish a notice about a "Phishing email with misleading health information."

On Monday, Brian Hall, chief information security officer for UCSC, sent out an apology to the university community.

"The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging," his missive said. "We sincerely apologize for this oversight."

"Simulated phishing training emails are intended to help people recognize and avoid real phishing attempts, ultimately strengthening our overall security. However, we realize that the topic chosen for this simulation caused concern and inadvertently perpetuated harmful information about South Africa."

• Cloudflare calls for regulatory harmonization amid rising internet challenges
• Iran named as source of Trump campaign phish, leaks
• After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
• Google raps Iran's APT42 for raining down spear-phishing attacks

The last reported Ebola infection detected in South Africa occurred in 1996, according to the US Centers for Disease Control and Prevention. In 2014, during what's referred to as the West African Ebola outbreak, 11 people were treated for Ebola in the US, most of whom had been medically evacuated from other countries. Two US nurses contracted the disease treating other patients and both recovered.

"UC Santa Cruz is focused on protecting students, faculty, and staff from malicious emails and other online threats," said Assistant Vice Chancellor Scott Hernandez-Jason in an email to The Register. "In addition to regular cybersecurity training for our employees, our campus periodically conducts simulated phishing campaigns to remind faculty and staff about how to recognize and handle suspicious emails.

"The email was sent to student employees, faculty and staff, and after it was sent we identified several concerns about the content of the message. As we shared with our campus community, we are working to prevent this from happening again."

In a blog post last year, cybersecurity researcher Marcus Hutchins advised care when simulating phishing attacks. "Phishing simulations run a very high risk of creating distrust and friction between your employees and security team," he wrote.

Several months ago, Google security engineer Matt Linton made a similar point, arguing "the information security industry should move toward training that de-emphasizes surprises and tricks and instead prioritizes accurate training of what we want staff to do the moment they spot a phishing email – with a particular focus on recognizing and reporting the phishing threat." ®