Phishing Simulation Debriefing

In the past few days, you may have received an email with the subject line "Announcement: Public transport reimbursements". It introduced "tickETHs" and offered reimbursement options.

This was a phishing simulation, a simulated phishing-attack. Regrettably, we must inform you that no reimbursements are available: the mentioned email, allegedly from ��ETH 365��ֱ��_365��Ͷע-��Ͷ Services��, was in fact sent by ��info @ services.elhz.ch��. This email and the ETH website it linked to were imitations, showing how cybercriminals could try to steal your credentials in a phishing attack.

All your passwords are safe. Your security is our highest priority. Rest assured that nobody has learned your password(s). We discarded any data you may have entered on the phishing website (or into the faked password manager, see below), and none of it left your device.

This phishing simulation was reviewed by the ETH Ethics Commission and the Data Protection Officer, and it was authorized by the ETH Executive Board. It is being carried out by ETH researchers in collaboration with the ID (IT Services).

You may have been asked to unlock your password manager. In addition to the ETH login form, the website may have imitated your password manager (if you use one) and asked for your master password. This is part of a study conducted by the System Security Group (D-INFK).

Your participation is confidential. We do not know if you entered your real password or not, as we have not collected sensitive data. Furthermore, we will evaluate the results of this simulation anonymously. ETH will not learn about the performance of any individual participants, and your behavior in the phishing simulation will not have any consequences for you.

We imagine you still have questions... which is why we compiled a Q&A below. It explains in more detail what phishing is, how you can protect yourself against phishing emails, and why we conducted this simulation. If it leaves any questions unanswered, feel free to contact us via .

... and we also have a few questions for you.

We, the researchers behind this project, would be incredibly grateful if you could take a few minutes to complete a short survey. Your responses will be evaluated anonymously and will contribute to our study's findings. The survey is hosted on the ETH SelectSurvey platform and be accessed via the following link.

Thank you!

Please do not inform your peers just yet. This simulation allows participants to test their phishing awareness in a secure environment. The simulation ends on November 1, and we would appreciate your discretion until that date.

We thank you for your understanding and your contribution to our research!

Claudio Anliker & Daniele Lain
System Security Group (D-INFK)

Dr. Matteo Corti
Deputy head of ITS Applications
ETH IT Services

Debriefing - Q&A

The following Q&A will hopefully answer your questions about phishing and this project. If something remains unclear, feel free to contact us via .

About Phishing

What is Phishing?

Phishing stands for password fishing and is an attack in which cyber criminals try to trick their victims into revealing sensitive data, for example passwords or credit card numbers.

In most cases, the attackers impersonate a trusted individual or institution by sending a phishing email on their behalf (in our case it was ETH 365��ֱ��_365��Ͷע-��Ͷ Services). The email usually contains a link to a phishing website, which resembles a login the victim is familiar with. When the victim tries to log in, they hand over their credentials to the attackers.

To improve the deception, phishers often use email and website addresses resembling the originals. For example, an address ending with "elhz.ch" or "eth-z.ch" might easily be mistaken for "ethz.ch", the official domain of ETH Zurich.

Cyber criminals use phishing attacks, for example, to enrich themselves (e.g., by obtaining access to e-banking accounts) or to break into companies (e.g, by phishing corporate passwords), causing billions in damages worldwide every year.

What is the purpose of a phishing simulation?

Phishing simulations can help prepare organizations and individuals for actual phishing attacks and are common practice among companies and organizations.

They have several benefits:

Testing and raising phishing awareness: A phishing simulation shows how participants (i.e., students and employees) react to phishing, and it helps build awareness; malicious emails can appear realistic, so we should be cautious, especially when they make enticing promises.
Testing incident response: For organizations, it is essential to deal with phishing attacks swiftly to minimize damages. Phishing simulations make it possible to assess the reaction of the staff responsible (e.g., how early they detect the attack, delete phishing emails, isolate compromised accounts, etc.).
Research: The data obtained in a phishing simulation can be used to answer specific questions, e.g., how users react to certain types of emails or how effective awareness training was.

The goals of our simulation was to raise awareness for phishing among the ETH population and to collect non-sensitive data for a research project. However, it did not test the readiness of ETH IT Services, which helped us set up and run this experiment.

How can I detect Phishing?

This following ETH website explains how phishing emails can be detected:

/staffnet/en/news-and-events/internal-news/archive/2022/12/how-to-recognise-phishing-emails.html.

About Password Managers

What is a password manager?

A password manager is a program that helps create, store, and use passwords in a secure and user-friendly manner. To unlock the passwords, one only has to provide a single master password (and, ideally, a second factor). Most password managers can be integrated into web browsers via browser extensions.

The main advantage of a password manager is that it makes it easy to use strong, unique passwords for many services and accounts. The main drawback is that a passord manager puts all eggs into one basket: If an attacker manages to compromise the password manager, they get access to all accounts.

Does a password manager protect against phishing?

The short answer is "Yes, if you use it correctly".

Most password managers provide auto-completion that only suggests a password on websites it is associated with, meaning they won't suggest the password on a phishing website. Hence, if you visit a familiar website and your password manager's auto-completion is "not working" as expected, you should verify if the website is indeed genuine. On the other hand, if you override the manager by copying and pasting passwords manually into login forms, your password manager cannot protect you.

Finally, password managers can be the target of phishing attacks too, and one should be cautious when asked for the master password (or similar credentials).

Should I use a password manager or not?

Yes, we still recommend that you use a password manager, but you should keep the following points in mind:

Beware of password manager phishing: Whenever you log in to your password manager (or receive an email from the corresponding company), be careful to check for signs of phishing, as any phishing website could show a user interface that looks almost like your password manager.
If you are unsure, open your password manager manually by clicking the icon in your browser��s toolbar. This always opens the real password manager, since this button is part of your web browser and out of reach of the phishing website.
Use trusted devices only: Don��t access your password manager on public or untrustworthy devices (such as a laptop of a person you barely know).
Heed warnings: Password managers usually inform you if they detect unexpected behavior, such as a login from a new device. Take these emails seriously.

About this Project

What is the goal of this project?

This simulation is part of our research on phishing attacks against password managers. If you use a password manager, you may have seen a phishing page that imitated your password manager and asked for your master password. Otherwise, the phishing page only contained the ETH login. Please note that we have not learned your inputs, and that all your passwords are safe.

Our primary objective was to understand how likely people are to enter their password manager's master password on an unrelated phishing website.

In addition, the phishing simulation had an educational purpose. We hope it raised awareness among the ETH population that phishing attacks may be quite sophisticated.

Who is responsible for this project?

This project is conducted by two researchers from the System Security Group at D-INFK, with the support of ETH IT Services (Informatikdienste):

Claudio Anliker (System Security Group)
Daniele Lain (System Security Group)
Dr. Matteo Corti (IT Services)

The phishing simulation is supervised by

Prof. Dr. Srdjan Capkun (Head of System Security Group)

Why did you not ask me beforehand if I wanted to participate?

The purpose of this simulation is to study the susceptibility of password managers to phishing, which is why we had to simulate an actual attack. Asking for your consent (or just announcing the simulation) would have forewarned you, and likely caused you to be more diligent with your emails. This would would have distorted the results of our study.

We kindly ask for your understanding.

What data did you collect and how is it protected?

To run this study, we required the name, ETH email address, and the ETH username of all participants. In addition, we were given access to basic demographic information required for the statistical analysis of our results. All this data was provided internally and after consulting the Data Protection Officer by ETH Human Resources and the Academic Services (AkD). We will delete all received data after the evaluation.

During the phishing simulation, we have only collected the data listed below. All data is stored under a pseudonym (the PID in your debriefing email). This pseudonym is a cryptographic hash generated with a secret key only known to the researchers.

In other words:

We only work with your pseudonym and do not learn your identity.
Without this secret key, it is not possible to recover you identity from the PID.
We delete the key as soon as the evaluation ends, resulting in complete anonymization of all data we collected.

We collected the following data (inluding timestamps):

If you visited the phishing website
If you entered your correct ETH username
The length of your input(s) into password fields (one number)
If you entered two passwords into the same form, their Levenshtein distance, i.e, the number of characters in which they differed (one number)
Which elements you interacted with on the website.
If you use a password manager and, if yes, which one.
Additional metadata about your system (e.g., what browser you use or its configured language). Note that this data is sent automatically to every website you visit.

I want you to delete my data.

If you would rather have us delete your data, please send us an email to , subject ��Opt-out��.

However, we would greatly appreciate if you could reconsider:

There are no risks or strings attached to your participation. We designed this phishing simulation carefully and involved various ETH offices (e.g., Ethics Commission, Legal Office, Corporate Communication, and IT Services). All collected data will be completely anonymized, and not used to your disadvantage in any way.
We will treat your data confidentially and with utmost caution: ETH will only receive results in an aggregated form and learn nothing about your personal result.
The study is over. You will not receive any further phishing emails as part of this study.
We rely on your data for our research. We can only draw meaningful conclusions if participants allow us to use the collected data.
Deleting your data will not change your experience. We apologize if the simulation was a nuisance. If you fell for the phishing, do not despair: this was an exercise after all, and it can even happen to trained professionals.

I have further questions.

We gladly answer your questions. Please send us an email to .