Phishing Simulation ProgramEstimated Reading Time: 2 Minutes
Phishing Simulation Program
Like any skill, spotting phishing emails takes practice. Creating a consistent behavior like reporting suspicious emails, requires repetition. Our phishing awareness and reporting exercises are designed to give the Montco community experience in identifying and reporting simulated phishing messages. We do this so when real phish show up in your inbox, youll know exactly what to do.
Why are we doing this?
Phishing is the single greatest threat to our digital privacy and security today.
According to industry studies:
- 90% of data breaches are the result of phishing. (Source)
- 50% of all Social Engineering incidents in 2022 used pretextingan invented scenario that tricks someone into giving up information or committing an act that may result in a breach. (Source)
- 50% reduction of susceptibility to phishing after simulation training. (Source)
Our security systems block millions of these phishing messages each month, but still, some will always make it through. You are our best defense against these messages. Recognizing phishing prevents it from harming you, and your reports prevent phishing from harming the community. Phishing awareness and reporting practice will help keep us alert and ready to respond to these threats.
These exercises will:
- Deliver simulated phish based on actual phishing attempts found at the College.
- Give our community experience in identifying and reporting phishing emails.
- Recognize consistent reporters.
- Provide an evidence-based understanding of our communitys phishing risks.
These exercises will not:
- Send gotcha emails using messages more sophisticated than we typically receive.
- Directly impersonate Montco departments or services.
- Report the identities of those who click.
- Assign mandatory training or take punitive action against those who click.
What to expect
Email users should expect to receive a simulated phish once per month. Like any suspected phishing message, it should be reported (How to Report). You will be notified that the phish was a simulation.
If you miss it and accidentally click, youll see a page that reassures you its just practice and highlights the warning signs to watch out for next time. Close that page and report it anyway. After all, its good practice.
If youd like more information on identifying phish, resources are available to you here. If you have questions, concerns, or comments about our Phish Reporting exercises please contact our IT Security team (firstname.lastname@example.org).
Some content used with permission from Harvard University IT Information Security Group.