More than 1,800 students, faculty and staff have signed up for GoPhish, an online tournament running from March 29 to April 15 in which participants can earn points and win prizes by identifying and reporting artificial and real-life phishing emails. Designed by the DALI Lab and Information, Technology and Consulting, the tournament aims to bring greater awareness to the prevalence of phishing schemes targeting Dartmouth community members and to cybersecurity more generally.
“Phishing,” a cybercrime in which hackers pose as representatives of a legitimate institution in order to trick victims into providing personal or financial information, is the “number one” cybersecurity challenge faced by the College, according to chief information officer Mitch Davis. The tournament, he said, is part of a larger recent campaign to improve cybersecurity at the College by educating community members about the dangers of phishing schemes.
While a majority of the 10,000 phishing attacks that hit Dartmouth servers daily are caught and filtered, some slip through and can cause irreparable damage such as identity theft and financial loss, according to director of student and academic systems Sam Cavallaro. Although he said that the tournament wasn’t inspired by any attack in particular, he noted that the competition is part of a “risk mitigation” strategy that ITC is implementing after “notic[ing] the intensity of the amount of attacks.”
“It’s surprising to see how susceptible we can be to phishing attacks,” said DALI designer and tournament project manager Emma Kallman ’22. “I think seeing that eight out of 10 Dartmouth students and staff do not know what to do when they get suspicious emails or how to report to them really shows that there is an issue.”
According to Cavallaro, phishing is a threat because many people “don’t think about phishing” routinely. A central goal of the tournament, he said, is to create a “check” in the minds of internet users to be on the lookout for suspicious emails in their inbox.
Although DALI originally built the platform in fall 2019 as an educational tool, DALI program manager Erica Lobel said the project was specifically gamified during the summer and fall of 2020 in order to make it more engaging and increase information retention.
“We could [have invested] in an education platform with videos and quizzes and stuff like that from some external source, [but] those are pretty darn expensive,” DALI director and co-founder Tim Tregubov said. “[Our] idea was instead of paying somebody else, let’s invest that money here and come up with our own solution that’s more fun, more engaging and more likely to actually achieve the outcome.”
On the current platform, participants can see their total ranking among all participants as well as a leaderboard for the “Fastest Phishers,” which lists those participants fastest to report phishing emails by forwarding them to phishing@dartmouth.edu — a practice that community members can continue after the tournament has ended, according to Cavallaro.
As of Sunday, more than 1,400 participants have earned at least one point in the tournament, and almost 1,300 have met the three point requirement to be entered into prize raffles, which include gift cards to local businesses, headphones and speakers. The participant with the “most phish caught” will win an Apple Macbook Air. Tregubov noted that “most” participants have completed all of the gamified quizzes that earn participants points, which is “really 90% of the battle” to educate the community.
The opportunity to catch “wild phish” — phishing emails that slip through the College’s cybersecurity networks — has highlighted ways in which ITC can improve its security, according to Cavallaro.
“I think [on Wednesday] there were already over 300 wild phish that hadn’t been reported, so that’s 300 scams that people were getting,” he said. “What this allows us to do is improve our filters.”
Ananya Vaidya ’23, who as of Sunday evening is in 98th place with 19 points, earned her place in the standings by completing all 14 phishing quizzes and reporting several phishing emails. She said that the tournament has been “something fun to do” when she has the time. While she was aware that phishing is a problem, Vaidya acknowledged that she hadn’t exactly understood what it was until taking part in the competition.
“Usually you can tell [when it’s a phishing scheme with] an email that’s been badly written, [or] there [are] links that you probably shouldn’t click,” Vaidya said.“But there were aspects [of the quizzes] that were useful to know, things like, there’ll be an unsubscribe link, and if you click it it’s a nefarious link, or they’re gonna have things that try to make it seem legitimate.”
Davis said he hopes that after the tournament ends, participants will have the tools to protect themselves from phishing attacks. Cavallaro noted that the tournament could be a “springboard” both for future improvements in cybersecurity and individual actions to remain safe virtually.
“You can’t talk about phishing unless you have a common language, so what we’re doing is we’re imparting a common language on the campus, and some knowledge about what phishing is so then that conversation can continue after the tournament is over,” Davis said.
Regarding the future of the platform, Lobel said that DALI may commercialize the project and license it to other universities for educational purposes. Tregubov said that Davis has talked to other institutions about the phishing platform and “a lot of them are pretty excited.”
“The way that we coded and designed it should be pretty easy to swap out branding,” Lobel said, noting that the green fish on the current website, for example, could be switched to brown for Brown University.
“[Licensing the platform would] be a way of recouping some of the resources that we put into it … potentially even funding DALI,” she said.