On May 27th, we sent a phishing simulation email to UVA faculty and staff. The goal of this exercise was to help you better identify phishing messages by providing a hands-on simulation (and subsequent training).
Below is additional information about this specific exercise, including the overall results as wel as information about what to do when you receive a phishing message and options for additional information and training.
The Exercise
The message chosen was one that we had seen bad guys use. The following graphic shows the message and the "red flags" that could have been used to check its validity.
Out of the 10,033 emails sent May 27: 19.8% clicked the link and 7.7% entered their credentials (that’s over 770 faculty and staff)!
Last Fall’s (2020) phishing simulation showed much better phishing recognition. Only 5.3% clicked the link and 2.9% entered their credentials.
What to do
If you receive an email that you think is suspicious forward it to [email protected] or check our Security Alerts & Warnings webpage to see if it has been reported. (However, just because it’s not there, does NOT mean it’s not phishing.)
600+ who reported the simulated phishing email to [email protected]. We would like to thank you!
Never assume someone has already reported it or fear that you might be wrong in identifying a phish. A duplicate report is better than no report.
Getting more information
We want to help you improve your recognition of phishing. Start by visiting: https://security.virginia.edu/what-is-phishing.
We also offer fun, informative activities such as our virtual escape room as a great team-building experience where you learn more about cybersecurity.
If you have an idea of what you want for training, we would love to hear it. We would be happy to discuss them with you. Email us at [email protected].