CUIMC IT Reduces Success of Phishing Attacks

Columbia University Irving Medical Center’s Information Security Office team has implemented campaigns to reduce the success of phishing attacks. Those campaigns over the past five months have resulted in a reduction of almost 80% in clicks to links that simulate attacks.

With phishing attacks on the rise, IT conducted simulated phishing campaigns that have spread awareness among CUIMC email users. The success of those campaigns help make CUIMC a more secure organization.

In simulated phishing campaigns, IT sends emails that mimic real-world phishing scenarios. Clicking on a link within a simulated phishing email redirects the user to brief training that reminds users that phishing attacks are on the rise and users should be very cautious in opening and responding to personal or professional messages. The training advises users to not open attachments or click links in a message from senders requesting sensitive information.

Cybercriminals target individuals and organizations to steal valuable information as well as inflict reputational damage. The most common attack is to use phishing emails to trick a recipient into giving up passwords or to run a malicious attachment. This kind of attack has been successful when targeting users at CUIMC and elsewhere.

The CUIMC Information Security Office has responded to attacks that include links to sites that are made to resemble official Columbia websites; malicious email attachments that are disguised as invoices or other important documents; and email addresses made to resemble those of trusted and high-ranking members of Columbia University. Some of these attacks have resulted in departments temporarily or permanently losing access to data.

IT Security goals are to help users identify and avoid phishing attacks and to increase awareness about the risk phishing threats pose to individuals and to the CUIMC community. Users should be particularly vigilant with messages marked “External.” Other reminders:

  • Do not open documents/spreadsheets from sources you do not recognize.
  • Do not click strange links, even from trusted sources.
  • Never respond to an email requesting your credentials or enter your credentials if prompted by a link to an unrecognized portal.

Suspicious emails should be reported to