Simulated Phishing

In this section

This training initative was announced in an email to the campus community on February 22, 2022.

Overview of Simulated Phishing

In order to promote cybersecurity awareness and educate campus members on how to stay safe from phishing attacks, campus members will periodically receive simulated phishing messages. These emails will be crafted to look like real phishing attempts. Though the emails may contain links or attachments, they will be harmless as our simulated phishing program is designed to offer a safe practice environment for campus members. These exercises will provide hands-on opportunities for you to practice how to identify, respond, and protect yourself from social engineering scams.

Treat these emails as you would any other phishing email. If you report the email to Technology Services using the Phish Alert Button, you will receive immediate feedback that you correctly identified the simulated phishing attempt. When taking a risky action such as clicking a link, entering credentials, replying with information, or opening attachments, you may be directed to a page with information identifying what indicators in the message are common red flags that can help you better detect phishing in the future. Additional training may be offered for those most at risk for phishing attacks.

Please see the FAQ below for answers to common questions regarding simulated phishing. If you have additional questions or concerns, you may contact the Service Desk or reach out to the Information Security team directly by emailing ts_infosec@pugetsound.edu.

Simulated Phishing FAQ

Why is Technology Services running simulated phishing campaigns?

As phishing attacks designed to steal financial data and hijack social media accounts are increasingly prevalent, it is critical to combat this through education and vigilance. You are the first line of defense. Industry research demonstrates that internal simulated phishing programs can help raise information security awareness which is important for all students, faculty, and staff.

Similar to lockdown drills to practice emergency response procedures for physical safety, simulated phishing trains users on how to detect and respond to phishing in order to combat real threats when they occur. Being able to accurately identify phishing and take appropriate action will reduce the likelihood of detrimental consequences - such as account takeover, ransomware, or data breaches - from occurring.

How often will I receive simulated phishing?

Campus members can expect to receive simulated phishing messages no more than twice per quarter. Generally, quarterly simulated phishing will occur during the months of January, April, July, and October. Advantages of regular training include incorporation of current trends and tactics as well as building resilience from repeated practice.

During Cybersecurity Awareness Month, campus members may receive additional messages as part of the education initiative.

What information is being collected?

Actions taken in response to a simulated phishing email will be collected. Examples of actions include: reported via Phish Alert Button, opened email, clicked a link, entered credentials on phishing page. If additional training is provided through the KnowBe4 platform, completion progress will be noted.

Collecting metrics will better help Technology Services understand risk and guide future information security awareness initiatives.

Will individual results of simulated phishing be shared?

No! At times, aggregate de-identified data may be used to provide reporting on risk. However, individual results will not be shared since the purpose of simulated phishing is educational. The Information Security team and select staff members in Technology Services responsible for managing the platform will be able to view results.

What do I do when I receive a simulated phishing email?

Treat it like any other phishing email. If you know it is phishing, use the Phish Alert Button to report it. If you are not sure, see our tips on how to spot phishing or contact the Service Desk.

I entered my credentials. What should I do?

It should be extremely clear whether the page you entered credentials on was from a simulated phishing campaign. Since these simulated phishing messages are not malicious, entering your credentials on a simulated phishing page does not create the same risk to the university as it would if it were a real phishing attempt. Your credentials are not collected.

If the site was not part of a simulated phishing campaign and you entered credentials, your account could be compromised. Please change your password and immediately call the Service Desk at 253-879-8585 (option 2).

I’m not sure if this is a simulated or real phishing email. What should I do?

Treat it like a real phishing email. You can report the email, ask about its legitimacy, or delete it.

Why am I receiving an email to complete a training?

Based on the results of simulated phishing, those most at risk for phishing attacks may be offered additional educational materials. Training is offered through KnowBe4 with short videos and interactive content. We ask that you complete the brief training modules as it will help you protect against phishing and other social engineering attacks. The email will come from do-not-reply@training.knowbe4.com.