NEWS: Phishing campaigns at UCLA Health result in heightened awareness

Man looking through lab magnifier

By Wendy Rager and Judi Baker. Most of us are familiar with phishing – a type of social engineering scam where a bad actor sends fraudulent communication that appears to come from a legitimate source. The goal of the attack is to trick the recipient into revealing sensitive information (such as credit card numbers or passwords). 

Phishing is at the root of many of the most devastating cyberattacks and have cost companies and entities millions and millions of dollars in damage. According to the 2022 IBM Cost of a Data Breach Report, phishing and stolen or compromised credentials were responsible for 16% and 15% of breaches respectively.

So, it’s not a surprise that phishing remains a major cybersecurity concern within UC, especially as cyberattacks become progressively more sophisticated and frequent every year. 

Focusing on “The Human Layer”

When recipients dismiss phishing attempts, that’s a good thing, but UCLA Health IT Security created their complex phishing campaigns in 2023 with another goal – to motivate people to report phishing attempts, not just ignore them. 

UCLA Health took a unique approach to their cybersecurity campaigns by using targeted and tailored training and a reward system. This allowed them to educate and continuously remind users how to report cybersecurity threats, and reward those who reported with Cybersecurity Challenge points that increased their chances of winning raffle prizes.

The campaigns, conducted for all 50K+ people at UCLA Health, introduced examples from global real-world attacks as well as other challenging scenarios, such as a simulated attack from a compromised UCLA Health email account.

In prior campaigns, if someone clicked a phishing link it was considered a “fail,” and that was considered a teachable moment and concluded the exercise. This new approach provided four categories of responses, including the phishing attempt being identified and reported as well as the subject failing (by clicking the link) but also reporting it. This helped them to stop looking at the campaign results as binary with only pass and fail options, because in reality, the process is more complicated.

“We wanted to focus on the human layer, which is often the most exploited by cybercriminals, to build a strong security culture in the organization and equip all our users with the knowledge and confidence to respond and report in the event of a real-life attack,” said Luis Perez, Senior Information Security Analyst at UCLA Health.

Unique Approach Provides Improved Results 

This innovative approach yielded positive results, showcasing an increase in year-over-year report rates despite a higher user base and increased difficulty levels. The fail rate remained well below the industry average and UC’s target of 10%, indicating the success of UCLA Health’s strategy. 

Statistics demonstrating a 124% increase in reporting phishing attempts after implementing campaigns

Kudos to the UCLA Health IT Security team for their innovative and incentivized efforts in bolstering cybersecurity within their community.

Learn More about UC Cybersecurity

To delve deeper into cybersecurity initiatives across UC, explore the insights shared in the 2023 Cyber Risk Program Annual Report.

Authors

Wendy Rager
Wendy Rager 
Manager, Cyber Risk Coordination Center 
UC Office of the President 
Judi Baker
Contract Content Marketer
UC Office of the President