Phishing simulation exercises are like fire drills for cyber security. Over the last few years IT Services has begun sending out fake emails to the 海角社区 community, designed to pique your interest or raise an emotional response, tempting you to click on a link and divulge your 海角社区 credentials 鈥 exactly the way real cybercriminals design their fraudulent phishing emails.
These types of exercises are conducted in many institutions, both private and public, with the objective of improving our collective cyber security resiliency.
Why we conduct phishing simulations:
- Practice - As the 海角社区 community becomes more skilled at identifying basic phishing attacks, we will also heighten our awareness听to respond appropriately to more sophisticated phishing attempts that cyber attackers are continually developing.
- Reflection and learning - This is an opportunity to reflect and recognize triggers that are commonly exploited: Are we in a rush at the time of reading the email? Does the email use a tone of urgency, or entice us by promising rewards?
- Government mandate - 海角社区鈥檚 executive leadership team sponsors this initiative, and governmental directives mandate that such听exercises听be conducted regularly for all our user community.
- Gauge our need to reinforce training- By targeting large samples of users during these cybersecurity awareness campaigns, our Information Security team can obtain data to gauge the efficiency of our cybersecurity awareness initiatives and improve phishing detection and reporting skills across the 海角社区 community.
- Cybersecurity learning extends beyond the university - Learning to spot and report phishing emails is not only useful to protect your 海角社区 IT assets; it is also a skill that is applicable in daily life, as cyber attackers also target individuals and their personal data.
听
Results from recent simulation exercise (November 2021)
In November, 海角社区 conducted a phishing simulation exercise with academic and administrative staff members. It contained a fraudulent link, supposedly to a shared document, requiring the recipient to sign in to access.听Out of the 12,000听recipients, approximately 8% clicked the link. 3%听of them proceeded to enter听their 海角社区 credentials on the resulting login page. Approximately听3%听reported the email as potential phishing by calling the IT Service Desk or via phishing [at] mcgill.ca (the recommended action when you receive a suspicious email).听
On a positive note, we observed an improved security awareness within the 海角社区 community since the previous campaign, launched in June 2021. This time, 8% fewer recipients clicked the link and the number of those who submitted credentials decreased by 9.5%. Perhaps the most encouraging takeaway is that more people realized that they had clicked on a bad link, with a 40% decrease in the number of 鈥渃lickers鈥 who then submitted their credentials. We hope to continue the trend of improving security awareness by providing the community with and these practical exercises.
There are clear benefits to听running听phishing simulation campaigns to build awareness and improve the university's response. However,听we are continually听learning听and assessing our impacts on the 海角社区 community,听and we will be听adjusting听our approach for future simulations as a result of your feedback.
Are phishing simulations ethical? Yes, but they should heed the existing organizational culture and circumstances. On the one hand, to be effective as training exercises, simulations should mimic real-life phishing as closely as possible. On the other, although cybercriminals have no moral filter when devising their deceptions, in designing simulations we must be mindful of recipients鈥 feelings and not use scenarios that prey on their anxieties.
Your feedback
Let us know how you feel about our simulated phishing exercises:
IT Services would like to close by reminding you that cybersafety is a journey that each of us embarks on while traveling within our broader 海角社区 journey as student, researcher, academic or staff.