Students at the University of California Santa Cruz (UCSC) will be relieved to learn that an email warning about a staff member infected with the Ebola virus was just a phishing exercise.

The message, titled “Emergency Alert: Ebola Virus Case on Campus,” was sent to the university community on Sunday, August 18. It began: “We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola Virus.”

The message went on to say that the university has initiated a contact tracing protocol and that recipients of the message are asked to “log in to the access information page for more information.” This is exactly the kind of activity that phishing messages are trying to encourage to obtain login credentials.

The simulated attack resembled a real phishing message sent on August 1, 2024, as seen in the UCSC Phish Bowl, a collection of real and tested phishing attempts.

But the email sent on Sunday was more intended to raise awareness about phishing than to actually steal information.

It worked. The message prompted the UCSC Student Health Center to publish a notice about a “Phishing email with misleading health information.”

On Monday, UCSC Chief Information Security Officer Brian Hall sent an apology to the university community.

“The content of the email was false and inappropriate, as it caused unnecessary panic and potentially undermined trust in public health messages,” his letter said. “We sincerely apologize for this omission.”

“Simulated phishing training emails are intended to help people recognize and avoid real phishing attempts, ultimately strengthening our overall security. However, we realize that the subject matter chosen for this simulation raised concerns and inadvertently spread malicious information about South Africa.”

The last reported Ebola infection in South Africa occurred in 1996, according to the U.S. Centers for Disease Control and Prevention. In 2014, during what became known as the West African Ebola outbreak, 11 people were treated for Ebola in the U.S., most of whom had been medically evacuated from other countries. Two U.S. nurses contracted the disease while treating other patients, and both recovered.

“UC Santa Cruz is committed to protecting students, faculty and staff from malicious emails and other online threats,” Assistant Vice Chancellor Scott Hernandez-Jason said in an email to The register“In addition to regular cybersecurity training for our employees, our campus periodically conducts simulated phishing campaigns to remind faculty and staff how to recognize and respond to suspicious emails.

“The email was sent to students, faculty, and staff, and after it was sent, we identified several concerns about the content of the message. As we shared with our campus community, we are working to prevent this from happening again.”

In a blog post last year, cybersecurity researcher Marcus Hutchins advised caution when simulating phishing attacks. “Phishing simulations run a high risk of creating distrust and friction between your employees and the security team,” he wrote.

A few months ago, Google security engineer Matt Linton made a similar point, arguing that “the information security industry should focus on training that places less emphasis on surprise and trickery and instead prioritizes precise training on what we want employees to do the moment they see a phishing email — with a specific focus on recognizing and reporting the phishing threat.” ®