The March phishing simulation results are in

On March 27, the university’s Information Security and Compliance Team conducted their semi-annual phishing test. The subject of the email, “Important notice regarding your recent tax filing,” encouraged employees to click a link to verify missing or incorrect information on their University of Manitoba T4 tax information.

The message included common indicators of a phishing email: misspellings, grammatical errors, no UM branding, and an incorrect domain name in the URL – “maniloba.ca” instead of “manitoba.ca.”

So how did we do?

The message was sent to 6789 staff and faculty in the university.

• 50.6% of recipients opened the message.
• 7.6% of recipients clicked on the link.
• 3.7% of recipients entered their password.
• 453 recipients reported the message to spam [at] umanitoba [dot] ca.
• 225 recipients called the IST Service Desk to report the message.

The numbers are not significantly different from our last phishing test in October 2022. UM staff and faculty have shown that, while some improvements could be made, our ability to identify a possible scam has not decreased. If this were a report card, we would be in the range of a solid B+.

The university runs phishing simulations at least twice a year to build awareness, measure responses to the most common scams, and help our staff reflect on and recognize triggers that are commonly exploited. For example, were you feeling rushed when you read it, or was there an enticing reward at the other end of that link or button?

According to Campus Technology, the education sector accounted for 7.3% of cybersecurity incidents across industries in 2022, which was an increase from 2.8% in 2021. The outlook on bad actors using social engineering and spear phishing to trick us into giving them our personal information is getting worse every year.

Remember, information security starts with all of us. Next time let’s get to that A.

IST Communications