不良研究所

The value of phishing simulations

Learning what triggers us, and how to resist temptation

Phishing simulation exercises are like fire drills for cyber security. Over the last few years IT Services has begun sending out fake emails to the 不良研究所 community, designed to pique your interest or raise an emotional response, tempting you to click on a link and divulge your 不良研究所 credentials 鈥 exactly the way real cybercriminals design their fraudulent phishing emails.

These types of exercises are conducted in many institutions, both private and public, with the objective of improving our collective cyber security resiliency.

Why we conduct phishing simulations:

  1. Practice - As the 不良研究所 community becomes more skilled at identifying basic phishing attacks, we will also heighten our awareness听to respond appropriately to more sophisticated phishing attempts that cyber attackers are continually developing.
  2. Reflection and learning - This is an opportunity to reflect and recognize triggers that are commonly exploited: Are we in a rush at the time of reading the email? Does the email use a tone of urgency, or entice us by promising rewards?
  3. Government mandate - 不良研究所鈥檚 executive leadership team sponsors this initiative, and governmental directives mandate that such听exercises听be conducted regularly for all our user community.
  4. Gauge our need to reinforce training- By targeting large samples of users during these cybersecurity awareness campaigns, our Information Security team can obtain data to gauge the efficiency of our cybersecurity awareness initiatives and improve phishing detection and reporting skills across the 不良研究所 community.
  5. Cybersecurity learning extends beyond the university - Learning to spot and report phishing emails is not only useful to protect your 不良研究所 IT assets; it is also a skill that is applicable in daily life, as cyber attackers also target individuals and their personal data.

Results from recent simulation exercise (November 2021)

In November, 不良研究所 conducted a phishing simulation exercise with academic and administrative staff members. It contained a fraudulent link, supposedly to a shared document, requiring the recipient to sign in to access.听Out of the 12,000听recipients, approximately 8% clicked the link. 3%听of them proceeded to enter听their 不良研究所 credentials on the resulting login page. Approximately听3%听reported the email as potential phishing by calling the IT Service Desk or via phishing [at] mcgill.ca (the recommended action when you receive a suspicious email).听

On a positive note, we observed an improved security awareness within the 不良研究所 community since the previous campaign, launched in June 2021. This time, 8% fewer recipients clicked the link and the number of those who submitted credentials decreased by 9.5%. Perhaps the most encouraging takeaway is that more people realized that they had clicked on a bad link, with a 40% decrease in the number of 鈥渃lickers鈥 who then submitted their credentials. We hope to continue the trend of improving security awareness by providing the community with and these practical exercises.

There are clear benefits to听running听phishing simulation campaigns to build awareness and improve the university's response. However,听we are continually听learning听and assessing our impacts on the 不良研究所 community,听and we will be听adjusting听our approach for future simulations as a result of your feedback.

Are phishing simulations ethical? Yes, but they should heed the existing organizational culture and circumstances. On the one hand, to be effective as training exercises, simulations should mimic real-life phishing as closely as possible. On the other, although cybercriminals have no moral filter when devising their deceptions, in designing simulations we must be mindful of recipients鈥 feelings and not use scenarios that prey on their anxieties.

Your feedback

Let us know how you feel about our simulated phishing exercises:

IT Services would like to close by reminding you that cybersafety is a journey that each of us embarks on while traveling within our broader 不良研究所 journey as student, researcher, academic or staff.

Back to top