The results of October’s phishing simulation are in!
Cyber Security Month 2021 showed a marked improvement in our ability to recognize a phishy message
During the week of October 25, 2021, IST Information Security and Compliance launched our fourteenth phishing test for UM staff and faculty.
The fake message came from a generic “accounting” address and asked staff to open an attachment scanned from a printer. The message contained several cues to mark it as suspicious:
- UM external warning tag
- A suspicious-looking URL
- Misspellings and grammatical errors in the text
- No UM branding
- A generic signature
How did we do?
Compared to April’s test, there was a significant decrease in the number of people who clicked on the link. The message was also reported to spam [at] umanitoba [dot] ca by more people than ever before.
Simulation results:
- 7% of staff and faculty clicked on the link (11.8% in April)
- 2% submitted data to the password field on the fraudulent page (3.3% in April)
- 502 people reported the email to spam [at] umanitoba [dot] ca (494 in April)
- 156 people reported the email to the Service Desk (276 in April)
People who forwarded the message to spam also indicated why they thought it was a phishing email. This means we are learning to recognize what a suspicious email looks like, and that’s a big step!
Many commented that receiving a reminder about what to look for in a suspicious email before the phishing test, helped them recognize the fraudulent message when they received it.
UM staff and faculty are doing amazingly well in identifying potential cyber threats. But we have to stay vigilant. COVID and remote work has caused an escalation in online fraud since 2020 and there are no signs of slowing down.
What to look for
Always watch out for the following signs of a phishy message:
- UM external warning tag
- Bad grammar and spelling
- Incorrect URLs
- A sense of urgency in the content
- A request for sensitive information
- A nondescript email signature
- A sender address that does not match the sender’s name
- An attachment that you did not request
If you receive an email that fits any of the phishing criteria above, do not click on the link or attachment.
Clicking a link or opening an attachment can trigger a malware download that will infect your computer and spread to the rest of your home or university network. Instead of clicking on anything in the message, delete the email immediately or forward it to spam [at] umanitoba [dot] ca.
The IST Security and Compliance Team thanks you for your ongoing attention to our cybersecurity efforts.
Remember: Information Security Starts with You!