Following successful pilots within the departments of Pathology and Family Medicine to identify and report simulated phishing emails, Information Assurance (IA) and Health Information Technology & Services (HITS) are gearing up to conduct a phased, anti-phishing educational awareness campaign throughout all of Michigan Medicine. HITS staff will be the initial target group to receive a series of simulated phishing email messages starting in mid-April.
How it works
If a user clicks the link in an email sent as part of the campaign, or enters credentials in response, they will be directed to a webpage with educational material. The unusual language and illegitimate links will be highlighted and annotated in an effort to train people to detect warning signals.
The initiative is intended to educate staff members on how to recognize scams and protect themselves against inadvertently giving criminals access to personal, financial, and other sensitive data. Michigan Medicine plans to roll out the messages and training over the next three years.
“Improving the knowledge and behaviors of our workforce when confronting the ongoing phishing attempts against our institution are some of the most important activities we can promote to improve our cybersecurity posture,” notes Jack Kufahl, Michigan Medicine chief information security officer. “It helps protect the systems, data, and identities of Michigan Medicine and its patients, students, and employees.”
How to report a phish
If you suspect an email is phishing, report it to ReportPhish@umich.edu. This address was created for the anti-phishing pilots and is now being used to report any emails that appear “fishy.” Use of the new address sends phishing reports directly to IA staff members who can promptly block malicious websites, protect email, inform firewalls, and analyze impact.
Protecting Michigan Medicine sensitive information and systems is a shared responsibility. Given the increase in the frequency and cleverness of phishing scams, it is essential for all of us to keep alert and know how to recognize phishing so as not to be tricked by it. See these tips from Safe Computing: