In an effort to further enhance the University of Utah community's cybersecurity awareness, University Information Technology's Information Security Office (ISO) routinely conducts mock phishing exercises, sending fake phishing emails to campus and hospital faculty and staff.
Phishing — a major threat to our privacy and cybersecurity — is one of the most common cyberattacks against health organizations and higher education institutions and their students, faculty, staff, and patients.
Phishing attacks take many forms — such as a fraudulent email that impersonates a university official — and often ask you to respond by selecting an infected link or visiting a compromised website. They all share a common goal: getting you to share sensitive information, such as login credentials, credit card information, or other restricted and/or sensitive information. Although ISO maintains controls to help protect our networks and computers from cyberthreats, we rely on you to be the first line of defense.
The purpose of mock phishing exercises is twofold:
- Awareness and training: The simulations, deployed in a safe practice environment, tests whether users identify or fall victim to a fake phishing email. Additionally, the campaigns provide training on how to recognize, avoid, and report phishing attacks in order to protect faculty and staff, their departments, and the campus and hospital from cyberthreats.
- Cybersecurity efforts: The campaigns help ISO collect better metrics and information about the ever-changing landscape of email-based attacks in order to better protect the U community and fine-tune its cybersecurity education efforts.
The current scope includes campus and hospital faculty and staff.
ISO periodically sends emails that resemble a phishing attack to small groups of selected users. If the user opens the link in the email and attempts to log in with or without entering credentials, a pop-up window will appear indicating the user has fallen for a fake phishing attempt. The user then will be directed to this page for additional information and training.
If you would like to ensure your U organization participates in the mock phishing exercise, please visit the IT Security Catalog to submit a service request. Select the Security category and then IT Generic Service Request (authentication required). Be sure to designate the assigned group as UIT - ISO - IAM (Identity and Access Mgmt).
Training is not mandatory but is highly recommended, as it builds awareness about phishing attacks and assists the U community in getting better at identifying and avoiding malicious emails. The module, which should take about 10 minutes, can be found in the university Bridge Learning Management System (campus employees only).
Knowledge Base articles:
If you cannot tell whether an email is legitimate, please forward it to firstname.lastname@example.org. The ISO team will review the message and let you know whether it’s a phishing attempt.
If you need further assistance, or have questions or concerns about the mock phishing exercise, please contact the Governance, Risk & Compliance team at ISO-GRC@utah.edu.