Montclair State University (BACKGROUND PHOTO BY ADAM ANIK FOR MONTCLAIR LOCAL)

By ERIN ROLL
roll@montclairlocal.news

When Montclair State University sent its staff a phone phishing email this week — to see how many would fall for the same techniques real scammers use — it made an enticing offer.

It was also an insensitive one, according to the union representing faculty, librarians, teaching staff and specialists.

“You are now eligible to book your appointment to receive the COVID-19 Vaccine,” the email sent Tuesday, March 16, read. “Please use the following link to book your appointment.”

Of course, the email didn’t actually lead to sign-ups. New Jersey has opened up vaccination eligibility to public and private school teachers, but not yet to college faculty, though some faculty members may be eligible because of their age, medical conditions or other factors. 

SAVE MONTCLAIR LOCAL: We're overjoyed to report we've hit our fundraising goal of $230,000 this quarter for Montclair Local Nonprofit News! Montclair has stepped up to say local news matters, and we're hugely grateful. That gives our newsroom, your newsroom, security to operate well into 2022 while we continue to work toward long-term sustainability. We've seen what happens when news operations cut back or shut down. Communities suffer. We've seen it here in Montclair, and we believe you deserve better.

Visit MontclairLocal.news/donations to make your tax-deductible contribution today, to keep Montclair Local strong and help us do even more to serve the amazing community of Montclair.

“Nobody was happy about it, and it shows how desperate people are [to get the vaccine],” Bill Sullivan, the vice president for external outreach for American Federation of Teachers Local 1904. said. “They feel like their emotions were preyed upon. This was really clawing at people’s deepest emotions.” 

The email appeared to come from “Appointment Booker,” with the address “noreply@appointment-booker.com. Its subject line: “COVID-19 Vaccine – Book Appointment.” 

Each email contained the recipient’s name and what appeared to be a unique ID number. The supposed link to a vaccination portal actually went to a URL at phish.farm (hovering over it in most email programs shows the destination). 

On March 17, Candy Fleming, the university’s vice president for information technology, sent a follow-up email explaining that the email was a phishing experiment. 

“Yesterday we sent out a message that pretended to offer a link to book a COVID vaccine appointment. I know this is a sensitive subject, but we did this because the ‘bad guys’ are using COVID-related messages similar to this one in an attempt to trick you into downloading malicious software or giving away confidential information, and we want you to keep your guard up,” she wrote to the faculty and staff. “Phishing attempts have risen 220% during the COVID pandemic, according to the notable security company F5.”

The follow-up also said 62% of the employees who opened the email didn’t click on the link. Anyone who did got a message informing them it was a test.

Sullivan said the subsequent email from Fleming arrived as the union was having a meeting that day, with about 300 people in attendance. So it was by the time of the meeting that most people became aware that it was a phishing experiment, he said. 

Sullivan said the attendees used terms such as “cruel,” “inhuman,” “hurtful,” and “unprofessional” to describe the experiment. “Nobody said, ‘Oh, this is a good experiment.”

He said it is known that the university conducts phishing experiments from time to time, “but this topic is so close to home.

Fleming said that 62 percent of the people who received the email did not click on the link. 

The follow-up email stressed best practices for avoiding scam messages, and urged eligible university employees to make vaccine appointments through Essex County’s portal or another legitimate other authority, or to sign up for a text alert system that notifies MSU employees when they may make vaccine appointments.

“I apologize if yesterday’s training message caused any confusion, and I encourage you to register to receive your COVID vaccine through Essex County or another trusted source,” Fleming said. 

Sullivan said he believed that many of the people who did click on the link were people who were eligible for the vaccine, and were in high-risk categories. In his own family, he said, his sister had been experiencing great difficulty in getting an appointment for a vaccine, until he was able to connect her with a volunteer service that was able to find and make an appointment.

University spokesman  Andrew Mees described the phony phishing email as an “an intentional decision by the University’s IT department as part of its ongoing cyber security training efforts.”

“Sending fake phishing emails is a best practice in cybersecurity training,” he told Montclair Local. “Criminals are currently using this exact tactic — presenting opportunities for vaccine appointments — to commit crimes and steal your data.”

He said the university’s tests always mirror tactics being usedby criminals. 

Sullivan said Rich Wolson, the AFT’s president, complained about the matter to the university’s vice president of human resources.

“It’s just another lack of trust in the administration by our membership, over the many things that have been done over the last period,” he said.