In January, NYCHA rolled out a new cyber awareness training program. As part of the program, network users received suspicious email messages known as fake phish and then training assignments from the NYCHA Cyber Awareness Team. The Cyber Awareness Team is led by Information, Security, and Risk’s Chief IT Auditor, Jeffery Benson, and composed of members of the IT Department tasked with keeping NYCHA safe from information security threats.
What are fake phish?
Fake phish resemble phishing emails but are designed to help us learn what to do with real phish. Phishing emails are fraudulent messages that request personal information (e.g., info about credit cards and bank accounts and passwords); they ask you to click on a link or attachment that you should know not to click (because it could unleash a virus or malware).
Why did I get a fake phish?
Cyber Awareness Team member Nina Winer explained, “We sent out the first fake phishing emails in order to get initial metrics on how susceptible we are to opening and clicking on links and attachments. We’ll compare those initial results with our response to fake phish after employees have taken cyber awareness training to see how we’re improving.”
Of the 7,385 fake phish emails that the Cyber Awareness Team sent on January 10, 21 percent of NYCHA network users opened the email and 16 percent opened the email’s attachment.
Monthly training assignments to keep us safe
NYCHA network users will receive cyber awareness training assignments and fake phishing emails each month. The metrics related to the fake phishing emails will inform the IT Department of NYCHA’s susceptibility to cyber-attacks.
Each cyber awareness training assignment takes only about 10 minutes to complete and is an interactive, engaging way to learn secure behavior.
Want to learn more?
Visit the Cyber Awareness Training Link for all the available cyber awareness training topics, including: social engineering and spear phishing threats, travel security, mobile app security, working with personally identifiable information, passwords, physical security, safer web browsing, safe social networks, security beyond the office, and USB device safety. If you have any questions about the training, please email firstname.lastname@example.org.
Remember, if you receive a suspicious email:
- Contact Information Security & Risk by calling 212-306-8006 or emailing email@example.com.
- Delete the suspicious email from your mailbox without clicking on any hyperlinks or attachments.