From July to September of this year, University of Michigan-Flint ITS, supported by the U-M Information Assurance Office (IA), conducted an awareness campaign on campus that resulted in a significant decrease in the number of users who fell for simulated phish emails. In addition to IA support, UM-Flint ITS groups that were also instrumental in this process included Security Services, Web services, ITS-Helpdesk, and the ITS Publicity Committee.
Prior to the campaign, the organizers received UM-Flint leadership approval for the campaign and informed UM-Flint faculty and staff members that ITS was going to phish them in the coming months, in accordance with U-M Self-Phishing Guidelines and Norms. They also received a link to the Flint ITS phishing training page (log in with uniqname and UMICH (Level-1) password) so they could practice how to identify a phishing attempt.
The campaign included three rounds of self-phishing emails. During the campaign, if a user clicked the link in an email sent as part of the campaign, or entered credentials in the simulated phish email, they would receive a follow-up email with a link to the training webpage. The follow-up email stated that they had fallen for a simulated phish email and would need to complete the phishing training through the link provided. IA provided a communication plan and emails for UM-Flint ITS staff to adapt as needed.
The number of users responding to the simulated phish email fell dramatically between the first and third rounds. With the first email, 579 people opened it, 256 clicked on the hyperlink inside, and 167 entered requested credentials. By the final message, those numbers were 382, 59, and 44—a decrease of 34%, 77%, and 74% respectively.
Creating a culture of cybersecurity and engaging in safe computing practices is a responsibility that is shared by all. The final results show that the campaign improved IT security knowledge and the ability of users to identify and report phishing threats. Flint ITS will continue to work to keep their campus informed and protected.