Knowledge is protection: Why phishing simulations are important
Last week, ETH staff and students have received an email asking them to enter their password under the pretext of a refund for public transport. This email was part of a phishing simulation carried out by the System Security Group in consultation with the Central IT Services.
- Read
- Number of comments
Claudio Anliker, project manager of the phishing simulation and doctoral student in Srdjan Capkun's System Security Group in the Department of Computer Science. In this interview, he explains the reasons behind the phishing simulation.
How did this joint action with the central IT services come about?
Claudio Anliker: My colleague Daniele Lain conducted a number of user studies on phishing as part of his doctoral thesis. Matteo Corti from the IT Services read one of his papers and signalled his interest in a joint study, as phishing is of course also an important topic for the ETH IT Services. When I had the idea to investigate the security of external password managers with a phishing study, I approached Matteo. He quickly agreed to work with us.
Why do we need such phishing simulations?
In many companies, regular phishing simulations are part of their everyday routine. It is important to make employees aware of phishing because the potential damage is enormous. Be it industrial espionage or a ransomware attack. We know that the biggest security weakness in any IT infrastructure is the human element. And phishing attacks are becoming increasingly sophisticated; users need to be very vigilant to detect them.
Why were the students contacted in addition to the staff?
On the one hand, it was important for our study-specific question to have a large number of participants, as only a fraction use a password manager. On the other hand, it is also important to demonstrate to students how phishing works, as they often lack experience with emails in a professional setting.
What research results do you hope to obtain from the simulation?
We hope to find out whether our intuition is correct that password managers that use a master password can be "fished" relatively easily. Or whether it turns out that they are actually much more secure than we think.
We also expect to find out what makes a password manager more secure against phishing attacks. The password managers all work slightly differently, for example, some open a pop-up, others a new browser tab with its own URL. We hope that the study will provide us with enough data to identify trends as to whether certain design decisions could make a password manager more secure.
Do the people who have entered their password need to worry?
No. Regardless of what they entered or did on the website we have not saved any passwords. We are also unable to trace who has entered a correct password and who has not. The analysis is anonymous. But you don't have to be embarrassed if you fall for the simulation. It can happen to anyone, especially when you're under stress and not looking too closely.
How can I recognise a phishing attack?
Trust your instincts and always be a little suspicious of emails. If anything seems strange to you, it's worth taking a closer look. Emails with embedded links and attachments should always be treated with caution. This is because phishing attacks always aim to get me to take an action: I should click on a link, download something or open an attachment. The most important thing is to check the sender carefully. Large organisations such as ETH Zurich have configured their mail servers in such a way that mails cannot simply be sent with their address. This means that attackers use names that sound similar. In our simulation, for example, the ending "elhz.ch" instead of "ethz.ch". It is important to be aware that often only the display name is visible - in our case "ETH Campus Services" - and this can be faked, especially when using mobile devices.
Your phishing email looked very convincing and well thought out. Why?
Yes, the email was deliberately very convincing. One reason for this was our research project: we wanted to study how people would behave on the simulated phishing site after the email deception had been successful.
Is a phishing email like this realistic?
Yes, absolutely. Thanks to the huge advances in the field of generative artificial intelligence, such emails can be generated in seconds and perfectly translated into other languages. The days of emails littered with spelling mistakes, advertising implausible inheritances, are over. In addition, the data needed for such phishing (such as name, ETH department, email addresses, etc.) can be found very easily on the internet.
Unfortunately, ETH is also experiencing a large number of so-called ‘spear phishing attacks’ that target specific individuals or departments and are highly personalised. Such emails are sent in small numbers, making it more difficult for mail filters to detect the phishing.
Now, ETH normally marks external emails as ‘external’ by default. Why was this not the case with your phishing email?
We decided not to display the ‘external’ label because of our research project. The email should look as genuine as possible to see how the participants behave on the website. We are aware that this means that people who would not have clicked on the link if it had the ‘external’ label also clicked on it. In this case, they can take comfort in the fact that they would most likely have recognised a real, external phishing email.
However, you should not rely on this marking alone: it is not yet displayed for many mailboxes and is not supported by some email clients at all (for example, it is missing from the mail app on iOS). This can quickly create a false sense of security, especially if you work with different devices. In exceptional cases, a configuration error or a hacked ETH email address could also be reasons for a phishing email not being marked as external. Therefore, you should always check both the email and the opened website for other important phishing indicators before entering a password. It's quicker than you think (see this Intern Aktuell arcticle published Dec 2022).
What do I do if I suspect a phishing attack?
If you're unsure, it's better to send one too many emails to the IT services for checking than one too few. Personally, I am suspicious when I receive an email with an attachment because it happens so rarely. But I’m also aware that for someone who works in student administration or HR, it's quite natural to receive lots of emails with all kinds of attachments.
Is it a security risk if I forward the e-mail to the IT services?
It is safest if you forward the email as an attachment. It becomes problematic if you click on a link and enter your password. If this happens, it is important to report it immediately so that the damage can be minimised.
Did you get a lot of feedback?
We received a surprisingly large amount of positive feedback. Many people understand that this topic is important and also took the opportunity to send us further questions. As expected, however, there was also negative feedback: in particular, the fact that we used public transport discounts as bait was not well received by everyone.
Why did you decide to do this?
A simulated phishing email is always a tightrope walk. On the one hand, it should be as attractive as a real one, because otherwise the exercise makes no sense. On the other hand, it should put as little emotional strain on the participants as possible, which an attacker would of course not care about. A survey on cafeteria menus would probably not have bothered anyone, but it would also have simply not interested many. As a counterexample, a warning about exmatriculation would probably have fallen on open ears, but it would clearly not have been ethically justifiable. The public transport discounts were a compromise and were approved by the ethics committee.
Will there be more phishing simulations like this at ETH in the future?
We have no further plans for the current project, but I can't speak for ETH Zurich. However, I could well imagine a follow-up project, because the collaboration with the IT services was very good, especially with Matteo Corti and Johannes Hadodo, the new Head of Cyber and Information Security (CISO). I probably spoke to a dozen people from different departments and it was always very constructive. We also had the support of the Executive Board. That's not something that can be taken for granted and I really appreciate it. And the issue of phishing will, of course, remain relevant for ETH in the future.
Still have questions?
If you still have questions about the phishing simulation, you can find more information on the study's debriefing website.
If you have general questions about IT security, you can find information on the IT Services webpage.
If you suspect or know that you are dealing with a phishing email, please forward it to .
It is important that you forward the mail as an attachment. In Outlook you do this using the "forward as attachment" function.
You only need to contact your responsible IT support if you have clicked on the link in the e-mail.
Note on the translation
This text has been translated for your convenience using a machine translation tool. Although reasonable efforts have been made to provide an accurate translation, it may not be perfect. If in doubt, please refer to the German version.
Should you come upon significant translation mistakes, please send a short message to so that we can correct them. Thank you very much.
Always up to date
Would you like to always receive the most important internal information and news from ETH Zurich? Then subscribe to the "internal news" newsletter and visit Staffnet, the information portal for ETH employees.