An email from Southern Oregon University meant to remind staff to watch out for scams inadvertently put Medford police on guard.
On Thursday, SOU's information technology department sent out a message to 143 faculty and staff purporting to be from Medford police, according to a release issued by the agency and university spokesman Joe Mosley.
The spoof email used the city of Medford’s “seal” logo as a header, and appeared to come from a “Traffic Camera Violations” Medford email address, with instructions to settle the made-up violation by clicking a link.
“Oops! You clicked on a simulated phishing test,” a bright orange message with SOU’s logo says inside the link, according to a screenshot provided by Mosley.
Mosley said he fell for the message and got the pop-up, saying it “looked very authentic.”
“It was one of those gotcha moments,” Mosley said.
Many of the recipients didn’t click the link, however, and instead contacted police. By Friday morning, at least one Medford police staff member sent an alert message about “the latest scam involving the City of Medford.”
“Municipal court received many calls yesterday about the issue and the IT Department is working on it as we speak,” the morning alert message sent out just after 9 a.m. says.
By 11 a.m., Medford police issued an official alert saying they determined that the email came from the university’s IT department. Police instruct recipients to disregard and delete the spoof message.
A message to the Medford police sergeant on the case was not immediately returned Friday.
Including the 143 messages that looked like they came from Medford police, the university has sent out more than 1,000 spoof emails in seven examples over the past week, according to Mosley. Other spoof messages looked like they came from local businesses.
“Some of them were trickier than others,” Mosley said.
The messages went out without warning.
“The purpose of the first round was to demonstrate how easy it is to get tricked,” Mosley said, adding that IT wanted to get a sense of how many on campus were “careful about the emails they receive.”
The university will sporadically send more sample phishing messages, Mosley said, but future emails will include a heads up that the messages are coming.
Mosley said that the campaign was not directly in response to the summer 2017 phishing scam in which an the university wired an entire $1.9 million construction payment to scammers . Only about a third of that loss was ever recovered.
“It is generally to raise awareness about potential dangers of phishing emails,” Mosley said.