University of California Santa Cruz (UCSC) Phishing Test Causes Panic and Outrage

The University of California Santa Cruz (UCSC) made headlines last week for a phishing test gone wrong that caused panic among students and staff. The email, with the subject line “Emergency Notification: Ebola Virus Case on Campus,” claimed that a staff member had tested positive for the Ebola virus after traveling to Africa.

The email, which came from a non-university email address, directed recipients to an information site that turned out to be a Proofpoint phishing training site. This misguided phishing test sparked outrage and fear among the UCSC community, with some calling it irresponsible and in poor taste.

UCSC assistant sociology professor Alicia Riley criticized the university’s choice of using a false Ebola claim for a phishing test, stating that it caused unnecessary panic and undermined trust in public health messaging. UCSC CISO Brian Hall later apologized for the test, acknowledging that it was inappropriate and inadvertently perpetuated harmful information about South Africa.

Phishing tests are typically designed to educate employees about cyber risks and the importance of safeguarding sensitive information. However, the UCSC phishing test served no useful purpose and only succeeded in creating unnecessary fear and panic among recipients.

Moving forward, organizations should ensure that their phishing tests are designed with a strategic organizational goal in mind, such as protecting data and credentials, rather than causing unnecessary alarm. The incident at UCSC serves as a reminder of the importance of thoughtful and responsible cybersecurity training programs.