Simulated Phishing

Overview

In order to promote cybersecurity awareness and educate campus members on how to stay safe from phishing attacks, campus members will periodically receive simulated phishing messages. These emails will be crafted to look like real phishing attempts. Though the emails may contain links or attachments, they will be harmless as our simulated phishing program is designed to offer a safe practice environment for campus members. These exercises will provide hands-on opportunities for you to practice how to identify, respond, and protect yourself from social engineering scams.

Treat these emails as you would any other phishing email. If you report the email to Technology Services using the Phish Alert Button, you will receive immediate feedback that you correctly identified the simulated phishing attempt. When taking a risky action such as clicking a link, entering credentials, replying with information, or opening attachments, you may be directed to a page with information identifying what indicators in the message are common red flags that can help you better detect phishing in the future. Additional training may be offered for those most at risk for phishing attacks.

What to Expect

How often will I receive simulated phishing?

Campus members can expect to receive simulated phishing messages no more than twice per quarter. Generally, quarterly simulated phishing will occur during the months of January, April, July, and October. Advantages of regular training include incorporation of current trends and tactics as well as building resilience from repeated practice.

During Cybersecurity Awareness Month, campus members may receive additional messages as part of the education initiative.

What do I do when I receive a simulated phishing email?

Treat it like any other phishing email. If you know it is phishing, use the Phish Alert Button to report it. If you are not sure, you can ask about its legitimacy or delete it.

What happens if I enter information on the simulated phishing page?

It should be extremely clear whether the page you entered information or credentials on was from a simulated phishing campaign. If you submitted information, you would be redirected to a page stating it was part of a simulated phishing campaign. Since these simulated phishing messages are not malicious, entering your credentials on a simulated phishing page does not create the same risk to the university as it would if it were a real phishing attempt. Your credentials are not collected.

IMPORTANT - If the site was not part of a simulated phishing campaign and you entered credentials, your account could be compromised. Please change your password and immediately call the Service Desk at 253-879-8585.

Will I receive additional training?

Based on the results of simulated phishing, those most at risk for phishing attacks may be offered additional educational materials. Training is offered through KnowBe4 with short videos and interactive content. We ask that you complete the brief training modules as it will help you protect against phishing and other social engineering attacks. The email will come from do-not-reply@training.knowbe4.com.

Why is Technology Services running simulated phishing campaigns?

As phishing attacks designed to steal financial data and hijack social media accounts are increasingly prevalent, it is critical to combat this through education and vigilance. You are the first line of defense. Industry research demonstrates that internal simulated phishing programs can help raise information security awareness which is important for all students, faculty, and staff.

Similar to lockdown drills to practice emergency response procedures for physical safety, simulated phishing trains users on how to detect and respond to phishing in order to combat real threats when they occur. Being able to accurately identify phishing and take appropriate action will reduce the likelihood of detrimental consequences - such as account takeover, ransomware, or data breaches - from occurring.

Information Sharing

What information is being collected?

Actions taken in response to a simulated phishing email will be collected. Examples of actions include: reported via Phish Alert Button, opened email, clicked a link, entered credentials on phishing page. If additional training is provided through the KnowBe4 platform, completion progress will be noted.

Collecting metrics will better help Technology Services understand risk and guide future information security awareness initiatives.

Will individual results of simulated phishing be shared?

No! At times, aggregate de-identified data may be used to provide reporting on risk. However, individual results will not be shared since the purpose of simulated phishing is educational. Only the Information Security team and select staff members in Technology Services responsible for managing the platform will be able to view results.