Following executive approval in January, and thorough ethics and privacy reviews, the University of Calgary is launching a phishing education program for all faculty and staff.
Reflecting global trends, the university has experienced a significant increase in phishing attacks. Indications are that these attacks will continue to rise and pose substantial threats to the university, our people and the important work we all do.
Industry research shows that phishing education, or targeted test phishing emails, is becoming one of the best approaches to counter phishing attacks. On average, 12-30 per cent of users open malicious emails and then click on a link in the email. Companies that provide training programs notice improvements of between 26 and 99 per cent in their phishing email click rates. (Ponemon 2016 report)
Phishing education programs are important tools to help educate about the risks of phishing attacks and the role and responsibility we all share in protecting the university, our information and privacy. As individuals learn more about cyber risks, reports of phishing attempts increase and they become more proactive and vigilant about reviewing email content and understanding the potential impacts of their actions. Each one of us is the best line of defence against cyber-attacks.
University of Calgary phishing education program
As part of the University of Calgary’s phishing education program, ALL faculty and staff will receive at least one test phishing email in the next six months. During this time, if a test phish is acted upon, users should expect the following to occur:
- If the first test phish email is acted upon, an educational pop-up alert will appear informing the faculty or staff member that this is a test phish and provide helpful advice and education to avoid acting upon future suspicious emails.
- If a second test phish email is acted upon, the faculty or staff member will receive a phone call from an IT representative reinforcing phishing education.
- If a third test phish email is acted upon, the appropriate senior leader will be notified with the expectation the faculty or staff member’s supervisor or designate will follow up to discuss the risks of phishing attacks to the university.
What to do if you receive a phishing email
If you open an email that appears to be suspicious, even if from a trusted source, do not click on any embedded links or attachments. Instead, include the email as an attachment in a new email, send to firstname.lastname@example.org and then delete the email.
What to do if you click on an email link in a suspicious email
Immediately stop using your computer and contact the IT Support Centre at 403-220-5555 and a representative will assist you.
Please direct questions to the IT Support Centre (email@example.com or 403-220-5555).