Proactively Preventing Potential Phishing at FSU 1

Proactively Preventing Potential Phishing at FSU

Team #2

The Better Info Security Group

Florida State University

Proactively Preventing Potential Phishing at FSU 2

Abstract

Phishing attacks are often used to steal personal and private information from

unsuspecting users. This study took a look at Florida State University (FSU) undergraduate

students and assessed their awareness of phishing, their time spent online in a recreational

setting, and the methods of prevention they use. A Qualtrics survey was sent out to FSU

social media pages and directly to current undergraduates. After using the snowball method

to distribute the survey, a total of 113 responses were collected, but only 89 were

considered valid and complete. From these results, it was found that a majority of FSU

undergraduate students are aware of phishing, but do not do much in the way of prevention

and protection. Despite the fact that over 96% of respondents use the internet

recreationally at least once a day, a good portion does not use an adblocker, antivirus, or

monitor their spam. From the results collected, the conclusion was made that FSU

undergraduates should invest in more protection software, while the institution of FSU

should work more towards educating its students on the dangers of phishing.

Keywords: phishing, undergraduates, cybersecurity

Proactively Preventing Potential Phishing at FSU 3

Problem Statement

The problem that the researchers identified is the ongoing threat of phishing scams.

While phishing scams can affect anyone who uses technology, the focus of this study will be

Florida State University (FSU) undergraduate students. As current students, there is easy

access to other students for the purposes of surveys. Phishing scams are used to try and

trick you into giving up valuable personal information. The Federal Trade Commission warns

that “phishing emails and text messages may look like they’re from a company you know or

trust”, (Federal Trade Commission, 2019, para. 3). If an FSU community member were to fall

prey to a phishing scam, they could jeopardize not only themselves but the rest of the

community, depending on what information gets out. The purpose of this research was to

gauge the level of phishing awareness at Florida State University and find out how to best

help protect members of this community. If we can slow or stop the leaking of data, it could

help students, staff, and the University itself avoid troubles.

Significance of Study

Phishing scams are a well-known method used to gain access to personal, business,

or company information. Especially for an institution as big and important as FSU, bringing

awareness and preventive measures to the students should be a top priority to keep

everyone’s private and crucial information safe and secure. Many FSU students use their

emails and their FSU accounts to store their private and secure information and work. If just

one of these students were to be scammed by a phishing email and have private

correspondence or personal records leaked, it could create a snowball effect of trouble,

Proactively Preventing Potential Phishing at FSU 4

ultimately having heavy repercussions for the university and those associated with it. While

FSU’s Information Technology Services department does clarify that “FSU will never ask you

for your FSUID username and password in an email or phone call” (Florida State University

Information Technology Services, n.d. 1), there are many other ways for students to be

hacked or taken advantage of online. This includes the unintentional sharing of sensitive

information through social engineering or masking a virus as something usually unharmful

like a download file. However, the belief is that everyone in these stakeholder groups and

the general public can benefit from greater knowledge and understanding of how to

acknowledge, avoid, and report phishing emails and scams.

Research Questions

RQ1: Do FSU undergraduate students know what a phishing scam is?

RQ2: How often are FSU undergraduate students online outside of school,

potentially putting them at risk of phishing attacks?

RQ3: What steps are FSU undergraduate students taking to protect themselves from

phishing scams?

Environmental Scan

Introduction

The world of computers today would have gotten nowhere near how it is without

the internet. It’s how we can stay connected to one another and the world to share many

things. However, the internet is not the safest place a person can be. While it can’t harm

you physically, there is always the threat of someone, or something, trying to get your

private and personal information. The most common and most used attempt at this is called
Proactively Preventing Potential Phishing at FSU 5

‘Phishing’. This study will focus on phishing due to it being very common and prevalent

around the world these days and yet so many people do not know what it is or could be

susceptible to fall right into its trap and have a lot of or even all of their important

information leaked out to a single person or multiple people around the world. While the

simple answer and solution to something like phishing could just be to not click on any links

or open attachments from emails claiming to be from your bank or another trusted

organization, this study would like to pinpoint all of the ways to protect yourself and make

sure other people are knowledgeable about this serious threat (Australian Competition and

Consumer Commission, 2018). The goal with this environmental scan will be to understand

what phishing is, how people are affected by phishing, how to mitigate phishing, and

previous studies related to phishing on other college campuses.

What is Phishing

Phishing scams and attacks are a very common dilemma in people’s lives with more

than a decade of research spent on phishing, people are still at such a serious risk to be

tricked and have all of their information stolen. (S. Das et al., 2020) Phishing scams are

usually common via email, also known as ‘spear phishing’. The people who send out these

emails are trying to get the recipient to click a link or download an attached file that will,

most likely, lead to their usernames, passwords, and other information being leaked out to a

select people or even out to the public (A. Das et al., 2020). Phishing can be seen as a type

of social engineering, as while some attempts are a mass email spam across multiple users

that try to brute force their way in the vague hope that one or two out of the three-
Proactively Preventing Potential Phishing at FSU 6

thousand click on the link, others can create heavily edited and spoofed emails with perfect

grammar and punctuation that may look like it came from Microsoft or Google and seem

legitimate (Fatima, et al., 2019). The attacker may send multiple emails to fool you into

thinking they are a representative of the aforementioned companies and corporations

attempting to win your trust. The belief is that the main reason for why phishing is still such

an issue in our world is that people are not being educated and taught the dangers and

preventative measures of phishing. Every year, new people are getting onto the internet

from their phones or on their computers without the proper knowledge on how dangerous

it could be for them. Phishing attempts and methods to fight against it need to be common

knowledge these days to stand a chance at making sure people can keep their information

safe and secure from outside forces. Researchers around the world agree that phishing

needs to be addressed and heard about or else the attacks could get worse and worse

(Fatima, R. et al., 2019).

How FSU Undergraduate Students are Impacted by Phishing

With such a real threat like phishing, there are most likely some serious effects that can

take place. For one, phishing scams at FSU can cause annoyance for both staff and students.

As discussed above, the main goal of phishing scams is to get personal information from a

user and use it maliciously. Phishing scams are becoming increasingly more deceptive with

sophisticated attacks that are able to manipulate end-users through, for instance, spoofed

websites, targeted emails, and fake phone calls (Das S. et al., 2020). These scams can be

obvious to spot and other times very tricky to the normal eye. Some email and social media
Proactively Preventing Potential Phishing at FSU 7

companies have precautions for known phishing scams which get added to a blacklist. By

having this blacklist, phishing attacks can be prevented from even reaching users. For

example, filtering phishing emails, blocking fake websites, and forcibly taking down phishing

websites essentially make phishing non-existent to the user by removing any potential

threats before they appear to the user (Nguyen, 2018). Since phishing scams can come in

many types, the people designing these scams are continuously trying to update and make

them seem more real. When users click on links, they are redirected to a website that

imitates the appearance of the entity being falsely portrayed. For example, if a phisher is

attempting to steal bank account information, the layout of the phishing website may look

very similar, if not identical, to the actual banking website to convince users of its

legitimacy. (Nguyen, 2018) FSU students will most likely be targeted by spoof emails,

disguised as other FSU students or even staff. While some students may not fall for these

emails, another student who is not familiar with these types of scams could easily be a

victim and have their personal information taken without even realizing it. Which makes it

important to spread knowledge on how to fight back against or at least mitigate phishing.

Previous Studies Related to College Campuses

If phishing is such a common issue people can run into now-a-days, there would

logically be a method to counteract it. Ideally, a blend of increasing human awareness and

upping the quality of technological filters would be used to combat phishing scams from

multiple fronts, but for this study it will hone in on the human component. The first step to

take should be gauging public awareness of what phishing is in the first place, and from

there seeing how well they can detect phishing attempts. To start off, a trio of researchers
Proactively Preventing Potential Phishing at FSU 8

conducted an exercise at a Kenyan university with the goal of finding out how susceptible

people are to phishing attacks (Musuva et al., 2019). They ran fake phishing campaigns that

targeted students and staff for forty days, only stopping due to backlash on social media.

After going through the data, they found that “31.12% of the insiders are susceptible to

phishing and 88% of them disclose passwords that grant access to attackers.” (p. 157). From

their research, they concluded that social engineering phishing attacks are still very

effective, even when some parties are aware of the fact that they exist.

Now that we have seen what happens when the majority of participants are

unaware of what is occurring, we will move on to an example where training took place. A

second batch of researchers at a university located somewhere in the Midwest conducted

an experiment in which they trained students and staff to better detect attempts (Jensen et

al., 2017). One group was trained based on a rule-based table while another group was

trained using mindfulness techniques. While neither training group got their failings down

to zero, the mindfulness sector ended the experiment with a .092 chance of responding to

phishing emails whereas the rule-based sector ended up with a .231 chance. From this data,

the researchers concluded that this type of training could be a valuable opportunity for

people to build interventions that will reduce individuals’ susceptibility to phishing attacks.

With this in mind, both parties that received training performed better than the group in the

previous study. At the end of the day, the best course of action, as shown by the two studies

examined, would be to train students and staff at FSU to avoid phishing scams through
Proactively Preventing Potential Phishing at FSU 9

mindfulness techniques. While it may not be a perfect solution to stop phishing totally, it

shows proven results.

Mitigating Phishing

One thing to always consider to boost the awareness and skill of preventing these

phishing scams at FSU is to look at other college campuses related studies. On March 13,

2020, FSU closed its doors for Spring Break. Most students would not return to campus due

to the suspension of all in-person classes for the rest of the Spring 2020 semester, thanks to

the outbreak of SARS-COV-2 across the United States. Overnight, COVID-19 forced Florida

State into becoming an institution that went about its business primarily online instead of

inside the classroom. The shift to all online classes has been cumbersome and difficult for

both student and teacher alike. A portion of both parties are now being exposed to the

internet on a scale that is larger than they have ever had to deal with. This naivete opens up

a new demographic for cybercriminals to compromise and exploit online. Cyberattacks, such

as phishing, are common in the university setting.

With so much of academia now completely online, phishing is poised to run rampant on

students and faculty that are both unaware and uneducated on how to handle such threats.

As such, universities have launched anti-phishing campaigns across the country with schools

such as the University of Minnesota launching a phishing hotline for students and faculty to

report attempted scams (University of Minnesota Information Technology, 2020). Users that

have phishing scares in the recent past typically are more averse to phishing attempts

(Chen, et. al, 2020). The means to mitigate phishing on college campuses also requires

extensive education by organizations (in our case universities) to ensure users are aware of
Proactively Preventing Potential Phishing at FSU 10

what a threat looks like, and awareness by the users to be aware when they are being

targeted by scammers by email or other digital platform.

Conclusion

In this new age of complex, ever-expanding digital crimes, it can be hard to keep up

with the times. Information theft crimes like phishing scams can come in the form of emails

from trusted sources, and they are capable of even fooling tech-savvy users. That is why the

researchers decided to break it down from the beginning, starting with the definition of

phishing scams themselves, followed by the effects these scams have on people, leading

into mitigation techniques, and finally finishing off on a more topical note, studies that

relate to our target population, college students. From the studies and literature discussed

here, it appears that while college students are more aware of phishing scams than average,

they might not necessarily recognize or be able to prevent falling for them as consistently as

one would hope. While there have been a respectable number of studies on phishing in

regard to college students, none have focused specifically on FSU undergraduate students,

and the intent was to use this study to satisfy that niche. The importance of this study only

grows with these unprecedented COVID-19 conditions, especially when Florida State

undergraduates are online more than ever before.

Methods

Data Collection Methods

The data collection method used for this project was a survey via Qualtrics. The

decision to do a survey was basically to get lots of data from a large number of people. The
Proactively Preventing Potential Phishing at FSU 11

answers to the research questions did not need full-on interviews to get the results needed

as the more answers we got the better our sample size was related to our population.

Population and Sample

The population for this project was undergraduate students currently attending FSU.

The sample taken was the 89 valid respondents who both confirmed that they are currently

FSU undergraduates and fully completed the survey.

Recruitment Site and Procedures

In order to guarantee that the responses were valid, FSU specific online resources

were used to recruit. These resources included FSU Class Facebook Pages, the FSU Reddit

community, and FSU club chat-rooms in places such as Discord and GroupMe. In addition to

these, the researchers personally contacted friends via social media and text and asked

them to take the survey. The researchers used these methods to both contact large

numbers of people, and to have a higher chance of them being FSU undergraduates.

Analysis

Sample Description (Demographics)

Based on our data analysis, 51 of our survey respondents were female and 38 were
male. Almost everyone who responded was between 17-25. Only two people were between
26-30. Every one of the 89 accepted survey responses are undergraduate students. Most of
the respondents were upperclassmen, with only 2 freshmen and 14 sophomores responding
as opposed to the 23 juniors and 50 seniors.

RQ 1: Do FSU undergraduate students know what a phishing scam is?

The first data collection question from the qualtrics survey does point to a majority

of the FSU Undergraduates knowing what a phishing scam is with the shown results below:
Proactively Preventing Potential Phishing at FSU 12

While this data alone can judge whether or not the FSU undergraduates know what

a phishing scam is, the surveyees were also questioned with the open question of how they

would define a phishing scam. While many respondents’ answers ranged differently the

most commonly brought up topic in answers to the open-ended question was “personal

information being stolen”. This falls in line with the first question’s responses in where

surveyees mostly had a general knowledge of what a phishing scam was. The surveyees

were also asked “Where have you learned about phishing scams before taking this survey”

to further flesh out a majority of the yeses from the first question. The results were pretty

majority self-learned but the other categories were also not too low themselves:
Proactively Preventing Potential Phishing at FSU 13

The last related survey question to the first research question asks the surveyees:

“What information do you believe is stolen when someone falls for a phishing scam?”. With

this being another open-ended question the results are varied but many of them mention

personal info again with the mention of credit cards, passwords, and SSNs being in the

majority..

RQ 2: How often are FSU undergraduate students online outside of school, potentially

putting them at risk of phishing attacks?

The first few survey questions related to this research question are on the topics of

which personal email they used, which internet browser they used, and how often they

checked their personal email. A majority of the respondents answered how often they check

their email was 1-3 times a day and the least was 1-3 a month. The majority for which

internet browser was used was Google Chrome with the least used being Microsoft Edge or

any other non-listed browser. Lastly, the majority of which non-school email provider they
Proactively Preventing Potential Phishing at FSU 14

used was Gmail with the least popular being AOL or other non-listed options. With these

answers in mind, it is good to know if the respondents are using the most up to date

browser and email providers over other less secure ones. With the amount of time spent

checking their email, it signifies how often they may be exposing themselves to possible

phishing scams and emails. The last question related to this research question was how

often the undergrads used the internet outside of school activities. The data showed that a

high majority of the respondents used the internet over 5 times a day:

With this now in mind, this shows that many of the undergrads are online a majority

of their outside of school time that could greatly increase their exposure to potential

hazardous or malicious intentions.

RQ 3: What steps are FSU undergraduate students taking to protect themselves from

phishing scams?

The first survey questions related to the research question deal with asking the

surveyees if they check their email spam folder, if they have an ad-blocker for their browser,
Proactively Preventing Potential Phishing at FSU 15

and if they have an anti-virus. The large majority of the respondents did not check their

email spam folder, the large majority did have an ad-block extension for their browser, and

the amount of people who owned an antivirus was actually very close with the ‘yes’

respondents at 43 and the ‘no respondents’ at 46:

The next related question asked the surveyees what they should do if they were to

click on a phishing scam link. Being an open-ended question, the results varied, but a lot of

the respondents did not know what they would do if they were to have fallen for one. A

majority of the respondents also said to “close out” of the link with a few of the

respondents mentioning to scan the computer with an antivirus or to report the email. Two

additional related survey questions had to do with a scale rating from 0 to 10 on how the

surveyees thought an antivirus did protect against phishing scams and how much global

effort was being put into expanding and spreading the knowledge of phishing scams. For

both questions, a high majority of the respondents had answered between 0-4 showing a

high lack of safety from an antivirus against phishing scams and the global effort being put

forward to spread awareness. Lastly, the surveyees were asked how many times they had
Proactively Preventing Potential Phishing at FSU 16

fallen for a phishing scam before. A high majority of the respondents had answered “never”

but there were still a good number of them that had fallen for some. A few over three

times:

Discussion

RQ 1: Do FSU undergraduate students know what a phishing scam is?

As observed in the analysis on this research question asking if people knew what a

phishing scam was, most of the people who chose to participate in this survey were found

to have at least a basic knowledge on what they are. Multiple points can be drawn from this

statement alone. Firstly, it shows, according to the sample, most young people possess at

least a minimal knowledge on internet security and basic cybersecurity as a whole. The

significance of this finding shows that most people have a solid concept on technology use

and can reliably know how to safely interact with it when it comes to online interactions.

Elaborating on this previous question, the survey respondents were asked to flesh

out and define what a phishing scam is in their own words. As stated in the analysis, most

responses relate to the loss of personal information. This shows that not only do a majority
Proactively Preventing Potential Phishing at FSU 17

of the FSU undergraduates know what a phishing scam is but also that they mainly

understand just what is at stake with phishing scams and attacks. The spread of information

on what the consequences may look like for such an attack have shown to be considered

and remembered by most.

The next survey question aligning with this research question asks about where they

learned about phishing scams. Most people showed that they were self-taught, but some

had also learned from other sources such as their job or the school or from elsewhere as

indicated by the “Other” option in the respective bar graph as found in the analysis. This

means that if most people do not learn about phishing from a young age, there are still

opportunities for people afterwards to be educated on this serious matter. The significance

of this stems a couple of ways. Firstly, it shows that previous efforts with the goal of

teaching and informing people about internet safety have proven to show some success. It

shows these programs should continue to operate while also making sure to reach and

influence those who might otherwise be overlooked as indicated by those who were not

aware of what a phishing scam was. Significance can also be found in how FSU is shown to

be making efforts to teach its students the importance of phishing and cybersecurity as a

whole when other institutions may not. As the study’s surveyees were FSU undergraduates,

it shows FSU provides opportunities for students to learn about these topics when they may

have not been able to before.

The last survey question in relation to this research question asks what people think

are stolen as a result of a phishing scam. Paralleling the second question in this discussion,

most people identified the loss of personal information such as credit card information or a

social security number. Again, it shows most people are wary of what consequences they

could face if they are the victim of one of these scams. The significance of this is seen in how
Proactively Preventing Potential Phishing at FSU 18

people are aware of bad outcomes in their involvement of something. This translates into

other realms of life, be it an adventurous yet dangerous activity or a seedy activity they

know they should not be doing.

RQ 2: How often are FSU undergraduate students online outside of school, potentially

putting them at risk of phishing attacks?

With most of our respondents checking their email at least once a day, usually

multiple times, we can healthily assume that there is some regular risk involved. When a

respondent checks their email, there is a chance that they will come across a phishing link.

With that being said, people who check their emails more often than not are probably more

tech-savvy, reducing the chance that they may fall for a phishing scam. The vast majority of

our respondents use Google’s Gmail service as their choice of email provider. Like most

modern email services, Gmail has a powerful spam filter that should catch most fraudulent

emails. Similarly, a very large amount of respondents use Google Chrome as their preferred

browser choice, with Apple’s Safari trailing behind as a faraway second option. This is a

positive trend, as research done by the University of Gujrat shows that “Google Chrome

provides best security against phishing than other web browsers.” (Ashraf et al., 2013).

While the tools Chrome provides are not flawless, they are better than having no tools at all.

Finally, with well over half of the respondents using the internet recreationally over 5 times

a day, it seems like FSU’s undergraduate students are putting themselves in potentially risky

situations often. While their use of the internet is not in itself harmful, it is easier to

encounter an attack if you are in that environment more often than not. This information is

significant to the study because it shows that FSU undergraduate students are online very

frequently outside of school, which as stated before, can lead to increased exposure.
Proactively Preventing Potential Phishing at FSU 19

RQ 3: What steps are FSU undergraduate students taking to protect themselves from

phishing scams?

The first three survey questions relating to this research question, questions ten,

twelve, and fifteen, were bundled together in the analysis and asked respectively if the

respondent checked the spam filter on their email, used an ad-blocker, and used an anti-

virus. As found, most people did not check their spam filter, most used an ad-blocker, and a

nearly even split was found for the use of an anti-virus, with slightly more people opting not

to use one. There are some interesting interpretations that come out of this. These results

show that most people will take at least minimal protection against potential scams by

utilizing an ad-blocker and eliminating engagement with potential scam-mail that end up in

their spam filter. However, the interaction with the spam filter has a caveat in that people

that do not check their spam filter run the risk of allowing scam email addresses from going

undetected and unreported, thus letting its respective scammer continue their dirty work.

Also, the findings show that some people believe they are safe as they are and do not need

the additional protection of an anti-virus. The significance of this reflects the attitude of

some people who believe that their actions and doings are justified and fine until they

themselves are affected in which it may then be too late to resolve anything. This attitude

can be paralleled to the current global epidemic so prevalent this past year, with some not

taking the proper attitude and precautions because they only feel safe and do not actually

know if they are safe.

The next survey question asked what one were to do if they hypothetically fell for a

phishing scam by clicking a link. The responses for this question varied and demonstrated

the broad spectrum of the respondents. Aside from those who said they had no idea, some
Proactively Preventing Potential Phishing at FSU 20

said they would merely close the link, while others took it a step further and said they would

scan their computer with an anti-virus or even report the email the link came from. This

signifies a few things. Firstly, it shows there are some who do what to do assuming the

worst happens. These respondents acknowledge that they are not perfect and that they

must rely on what they can to best resolve the issue. In addition, there are those who either

did not know what they would do or thought it could be resolved with a simple and easy

answer. The significance here is that some respondents could potentially be deceiving

themselves about what they do and do not know about cybersecurity. Also, it reflects the

nature seen in some to want to distance themselves from technology when faced with

something seemingly insurmountable or too much to handle. More awareness should be

brought on how such issues are not as intimidating as they seem and that it is not the end of

the world if something like this were to happen.

The next two survey questions related to this research question were combined in

the analysis, asking respectively to rate from 0-10, with 0 being low and 10 being high, how

much they trusted an anti-virus and on the same scale how well they thought awareness

and information of phishing scams was being spread. Most respondents rated both of these

questions anywhere from 0 to 4. This shows people both do not have high trust for anti-

viruses and they do not think the information about these scams is being spread enough.

Comparing the latter survey to a previous survey question about where they heard about

phishing scams, the results seem to positively correlate with each other, with most people

having been self-taught about this matter. One significant note to pull from these results is

found in the respondents’ general distrust of an anti-virus. This could stem either from some

respondents’ knowledge that an anti-virus cannot protect one from all the malicious scams

that are out there, or for some, it could be an overall lack of knowledge about an anti-virus,
Proactively Preventing Potential Phishing at FSU 21

thereby making those people distrust it. Another significant factor is how generally

pessimistic people are about the spread of information on phishing. With some efforts going

about to help people become aware of such issues, it seems they did not reach as far as

such campaigns were hoping according to these respondents. Therefore, it shows that more

effort and resources should be pumped in to make more people aware of this pressing

issue.

The last survey question relating to this research question asked if the respondents

have ever knowingly fallen for a phishing scam. Thankfully, most people say they never

have. However, there were some saying they had once before, or even for some a few

times. Overall, this shows phishing scams have not been super impactful on FSU

undergraduates nor have they been as prevalent among them. The significance of this is

seen in how these people acknowledge the high risk involved in dealing with these scams,

yet they mostly feel safe in that they have so far not been affected.

Limitations/Future Study

The main limitations encountered in this project were a lack of respondents, a lack of

variety in respondents, and a lack of effort on the respondents part. While the initial

assumption was that we had 113 responses, the researchers quickly realized that that

amount was inaccurate, as some respondents were not confirmed to be FSU

undergraduates, and others only completed a few of the survey questions. Another issue is

that we received large numbers of respondents from only a few sources, such as the

students in LIS3201. This made our results less general, and maybe a less accurate picture of

the average FSU undergrad. If a future study were to occur, a much larger sample size and a

more diverse sample pool would be ideal. In addition, it would help if more complete
Proactively Preventing Potential Phishing at FSU 22

answers and higher levels of effort overall were put into the short answer questions than

what we received.

Conclusion

Based on the data collected, most FSU undergraduate students are aware of

phishing to varying degrees, but can still fall for phishing scams at a decent rate. With the

fact that almost every valid respondent uses the internet for recreational purposes at least

once a day, a good portion of the respondents have not taken full preventative measures

such as installing an adblocker, using antivirus software, and monitoring spam emails.

Another notable statistic is that less than 20% of respondents learned about phishing

through official university channels. After analyzing and discussing the collected data, the

researchers would make a final recommendation of increased action from both FSU

undergraduate students and the institution itself. FSU undergraduate students would

benefit greatly from utilizing preventative resources to steer them away from potential

phishing attacks, such as FSU’s Spam and Virus Email Filtering service. FSU itself might

consider expanding phishing education initiatives and “staging real-world phishing attacks”

like many companies have done (Musuva et al., 2019). Through making changes such as

these, and by continuing to responsibly utilize technology during a time in which online

learning is more prevalent than ever before, both students and the institution can feel safer,

more secure, and keep themselves away from cyberattacks. Ultimately, while both the

university and its undergraduate students have work to do, a promising start has been made

in curbing phishing attacks at FSU.

Reflections
Proactively Preventing Potential Phishing at FSU 23

Christopher Link: Throughout the duration of the semester, I have learned how the research

process builds upon itself to create a cohesive final project. Each week had us increase the

scale of our work, going from picking the team name to creating this humongous document.

I’d say the biggest challenge that I faced was that the work was entirely online. Not being

able to meet up with the group in person was difficult for my workflow; because I function

best when I have a group of people all bouncing ideas off each other and keep each other in

focus. Combine the online with my growing academic burnout, and you have a pretty sizable

motivation problem to overcome. Luckily, the group all participated, got along, and

communicated well. The biggest blessing was that everyone would come together and work

harder when a group member had an off week. Another challenge that I faced was that it

felt like we had an endless deluge of work. Even as I write this, I’m staring at nine pages

above me that need to be completed in less than five days. I have no research experience

outside of this class, so I’m not sure whether the workload accurately reflects the real-world

research experience, but if it does, I’m so sorry. Learning about just how much work is

involved in even a relatively small research progress like ours was very enlightening, and it

gave me much more respect for career researchers. Ultimately, this semester of research

gave me a new perspective on how the research process works, and how important it is to

have a quality team on your side.

Jacob Carleton: This class was my first time dealing with a research project of this level. I got

to improve on many skills throughout the semester due to working on assignments step by

step, then at the end putting them all together to finish our research project. I definitely

noticed an improvement in the way I think about different questions, for example between

open ended questions and closed ended questions. I know myself and the majority of my
Proactively Preventing Potential Phishing at FSU 24

classmates will agree that the biggest challenge this semester has to be covid-19. This was

my first semester off at college and living on my own, so it was a big step up from my

previous 2 years at my local state college. Since we had to do all of our group work online

this created a few challenges by itself. Thankfully my group was very organized, and we used

our class time very well and always completed assignments early! I also did not have a single

teammate slack off or rely on someone else. I think at certain times during the semester the

workload for this class got overwhelming with multiple assignments due during the week on

top of my other 4 classes, other than that I think I learned a lot from this course and have a

better understanding on how to conduct research on topics of my interest. All in all, I think

people underestimate how covid-19 affects our mental health, since we are living in an

endless cycle of zoom classes and staying inside 24/7. At the end of the day I think this class

provided me with necessary information for the future of my career.

Jacob Barksdale: From this semester I have learned that data collection is a very thorough

process if done correctly. One of the largest achievements that myself and my group mates

have gone over, is that we were able to conduct a full research project together, over the

internet. Many people this semester have experienced a similar scenario but that is huge

because of the fact that we didn't even have to be there in person. The main challenge from

this course that i faced was understanding the data that was coming through. From class

meetings I was able to figure it out. Our group always came together and finished

assignments early without any slack. I have learned that anything can be done over Zoom or

Blackboard. This course will benefit everyone in the future since we all have an

understanding on how to correctly conduct research projects now.

Proactively Preventing Potential Phishing at FSU 25

It was really interesting to see how our research unveiled and built up throughout the

semester. This project really helped visualize what it takes for an assignment like this. One

issue we had for a little was the amount of recipients for the survey we received. Over time

that was corrected. This class did have many assignments however that took a lot of effort

from the entire team. Although there were many projects, we made it to the end and I am

happy to be writing on the final report. This team was the best group. This class will benefit

myself and my career and the future.

Sebastian Angel-Riano: In the Information, Communication, and Technology Major, you

quickly get used to working as a team. Collaboration is a must in this field, since “going it

alone” is usually inefficient and difficult. The novelty in this class was collaboration across

Zoom and Discord for a class. That, and the piles of work that came with LIS 3201. Truth be

told, I’ve never taken a class quite like this one. In brief, I now have a newfound

appreciation for all those surveys you see plastered around campus. This stuff is hard. The

groundwork that goes into a research project has to be very thorough, as I learned in the

ample time between choosing our topic and even working on questions for the survey. I did

appreciate how most of the class was “on rails;” meaning that there were regular

checkpoints on our work to ensure we were keeping pace. At this point I’d like to

particularly acknowledge the work of both Chris Link and Grayson Martin. All members of

this project were involved, but these two guys were our field generals. They were the tip of

the spear, ensuring that things were up to the standard that was expected for the class.

With those two at the helm, we were able to weather the storm of discussions,

environmental scans, and RQ revisions. For most of us, myself included, this is our first

attempt at a research project of this scale, and it was quite the undertaking. I am grateful
Proactively Preventing Potential Phishing at FSU 26

that I had the opportunity to work on a project of this scale, and for the effort our team put

into it.

Grayson Martin: With this being my first real research class, it taught me quite a bit about

the fundamentals and necessities needed when doing extensive research on a specific topic.

It quickly got me back up to speed on how to work with APA referencing, how to use the

software Zotero, and even allowed me to get some experience and exposure on Qualtrics.

All of these gained and improved skills and knowledge will definitely help me down the line

with a potential job or career opportunity. The main challenges I faced during this class was

attempting to make sure every assignment was turned in on time. With the added pressure

of the group work almost every week, the solo assignments, mixed with other classwork,

was a lot of time management and making sure everything and everyone was satisfied for

the week. Thankfully, I was assigned to a great team and we were able to easily get a lot of

the assignments done before the weekend and we each did our part for it either speaking it

out to the group or typing it down on the pages. I did have quite a bit of trouble getting back

into APA referencing especially with the release of the 7th edition making me have to

readjust to how it used to be formatted. Thankfully though, I was able to get a better grasp

on it as the semester progressed and was able to use some outside resources to better

further my skills and knowledge on the subject.

Joshua Petree: This is the first class that I have taken within the Information Technology

major that has involved heavy research and has impacted the way that I will now approach

projects. Although this is not the first class within my major that I have taken that has

involved a good amount of teamwork and coordination, this class has helped to emphasize
Proactively Preventing Potential Phishing at FSU 27

it and has taught me the values of such things and what they could look like in a workplace

environment. Interestingly enough, I believe this class more than any other has taught me

how important it is to have the format of a report down and how to properly deal with

citations within said reports. In turn, those factors were the cause of some of the challenges

that I would have to personally face in this class. For one, it is no easy task to be able to

create citations that are perfect and to a tee, yet that was an expectation in this class. Being

an undoubtedly useful skill, it took time and effort to try to perfect these citations to the

best of my abilities. In addition, another challenge that would be difficult to overcome

would be learning how to utilize new things for this class. A prime example of this would be

the implementation of the citation-software Zotero, which neither me nor anyone else in

my group seemed to have prior experience in. However, with dedication and effort, we

came around and figured it out. Overall, this class has taught me how to overcome

seemingly hard obstacles, and it is a breath of fresh air to be able to come out on the other

side and say that I was able to overcome.

1 paragraph stating what you learned, what challenges and issues you faced, how you

handled and managed them, etc. Minimum of 250 words per person.
Proactively Preventing Potential Phishing at FSU 28

References

Australian Competition and Consumer Commission. (2018, January 4). Phishing.

https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-

information/phishing

Ashraf, I., Mazher, N., & Altaf, A. (2013, December 14). Which web browser work best

for detecting phishing. Proc. of Information & Communication Technologies

Conference. https://doi.org/10.1109/ICICT.2013.6732784

Chen, R., Gaia, J., & Rao, H. R. (2020). An examination of the effect of recent phishing

encounters on phishing susceptibility. Decision Support Systems, 133, 113287.

https://doi.org/10.1016/j.dss.2020.113287

Das, A., Baki, S., El Aassal, A., Verma, R., & Dunbar, A. (2020). SoK: A comprehensive

reexamination of phishing research from the security perspective . IEEE

Communications Surveys & Tutorials, 22(1), 671–708. https://doi-

org/10.1109/COMST.2019.2957750

Das, S., Kim, A., Tingle, Z., & Nippert-Eng, C. (2020). All about phishing exploring user

research through a systematic literature review. Indiana University Bloomington,

10. https://arxiv.org/abs/1908.05897

Fatima, R., Yasin, A., Liu, L., & Wang, J. (2019). How persuasive is a phishing email? A

phishing game for phishing awareness. Journal of Computer Security, 27(6), 581–

612. https://doi-org/10.3233/JCS-181253
Proactively Preventing Potential Phishing at FSU 29

Federal Trade Commission (May 2019). How to recognize and avoid phishing

scams. https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-

scams

Florida State University Information Technology Services (n.d). Phishing.

https://its.fsu.edu/ispo/training/phishing

Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate

phishing attacks using mindfulness techniques. Journal of Management

Information Systems, 34(2), 597–626.

https://doi.org/10.1080/07421222.2017.1334499

Musuva, P. M. W., Chepken, C. K., & Getao, K. W. (2019). A naturalistic methodology

for assessing susceptibility to social engineering through phishing. African Journal

of Information Systems, 11(3), 157–182.

https://digitalcommons.kennesaw.edu/ajis/vol11/iss3/2/

Nguyen, C. (2018). Learning not to take the bait: an examination of training methods

and overlearning on phishing susceptibility. [Unpublished master’s thesis].

University of Oklahoma. https://shareok.org/handle/11244/299684

University of Minnesota Information Technology. (2020). Phishing | IT@UMN.

University of Minnesota. https://it.umn.edu/phishing

Proactively Preventing Potential Phishing at FSU 30

Consent Form

 In the table below, list what contributions each of the team members made to this
assignment.

Name Contribution

Christopher Link Abstract, Corrections, Formatting, Methods,

Reflections, Limitations/Future Studies, References,
Discussion

Sebastian Angel-Riano Conclusion, formatting, and Reflections

Jacob Barksdale Reflections & Revisions

Jacob Carleton Reflections & Revisions

Grayson Martin Analysis, Formatting, Reflections, Revisions, and

Visualisations

Joshua Petree Discussion, Reflections, and Proofreading

Proactively Preventing Potential Phishing at FSU 31

Criteria Rating
Abstract, Problem Statement, Significance, RQs: 11 points
Appropriate abstract, problem statement, significance, and RQs (4 pts), in-
text citations for all arguments (4 pts); revisions from research project report
(3 pts)
Environmental Scan: 10 points
Appropriate intro, subsections, and conclusion (3 pts), in-text citations for all
arguments (4 pts), revisions from research project report (3 pts)
Methods: 9 points
Finalized data collection method(s) (2pts), sampling technique(s) (2pts), and
recruitment process (2 pts), revisions from research project report (3 pts)
Analysis: 19 points
Sample description (2 pts); complete QUAL and QUAN findings for each
research question (8 pts); include data/stats/quotes, analysis, and relate
findings to RQ answers (6 pts), visualizations (3 pts)
Discussion: 18 points
Summarize findings for all RQs (3 pts), provide interpretations/discussions
for all RQs (12 pts), comparison/contrast with previous studies and citation
needed (3 pts)
Limitations/Future Studies: 6 points
Limitations (include generalizability issues discussion) (3 pts), future studies
(3 pts)
Conclusion: 5 points
Restate and highlight core findings (5 pts)
Reflection: 10 points (Individual)
Reflection by team members (10 pts each)
File Name, APA Style, Consent Form: 12 points
File name (1 pt), proper citations and references (8 pts), match between
reference list and citations, (2 pts), consent form (1 pt)