In the old days, phish spam was generally pretty crude and generally easily recognized. A lot of it still is, but we're increasingly seeing some pretty sophisticated and targeted phish spam. Some of the latest phish spam we've seen uses essentially exact duplicates of university web pages and authentication dialogs, and has relatively convincing pitches in the email to get people to click on the links. To me, this is scary and goes well beyond assuming we can be phished, as I did in 2019. In 2019, I thought that an alert person might still have a reasonable chance. Now, I think that all that's between us and a significant scale compromise is that attackers aren't that committed yet (and whatever multi-factor authentication has propagated to our user population).

The university has it somewhat worse than companies do, in that our "internal" information really isn't. Since we have a large and and varied user population and almost all of our internal services websites are public, there's very little information on how the university sends out email notifications about things and what our internal websites look like that couldn't be found by a dedicated attacker. With that information in hand, the attacker could put together a basically letter-perfect fake.

(There are some technical measures the university has adopted to try to make such fake emails more obvious, but the only real mitigation is multi-factor authentication, which itself has assorted limitations.)

In light of all of this, one of the things I wonder is how long people will continue using email to deliver high-sensitivity information. One thing that has to be attractive to the university is moving to delivering all notifications about things like payroll, benefits, vacation planning, and so on (basically anything that would actively prompt people to log in) over a communication method that simply doesn't allow outsiders to send messages in.

(This is especially the case because the university already has access to such a communication method and is encouraging staff and faculty to adopt it for general use. I'm not naming the services involved because it's provided by a large commercial organization that doesn't need free publicity.)