Main Navigation

Simulated exercises help users identify, avoid phishing

Recently, a colleague messaged me, asking whether I had received an email from the University of Utah Health about a free smart watch. I hadn’t. Why?

There’s something off about it, he said.

A closer look revealed some common red flags indicative of phishing. The sender’s email address ended in .com instead of .edu. The sender offered an expensive tech device for free. And the offer came with a deadline, creating a sense of urgency.

My colleague reported the email to the U’s Information Security Office (ISO), which confirmed his gut feeling about the message — only in this case, it was a simulated phishing exercise.

The ISO routinely performs simulated phishing exercises to educate users on and increase awareness around phishing, a common technique criminals use to elicit personal information, such as passwords and credit card numbers, install malware, and gain access to devices, networks, and systems.

Unlike the real thing, ISO’s simulated phishes do not harm the user or the university if the user falls for them, said McKenzie Spehar, a data security analyst for ISO’s Governance, Risk & Compliance team.

“Their username and password aren't captured or leaked during a training, and a threat actor isn’t involved and doesn't gain any information,” Spehar said. “When the ISO conducts simulated phishes, we're providing a safe environment where people can learn what to look for and practice how to report malicious messages when they appear in their inboxes.”

Those who open links in a simulated phish are enrolled in KnowBe4 security awareness training, which covers key tactics used in each exercise.

Spehar said users can avoid being phished by asking themselves:

  • Is the sender’s email address legitimate?
  • Does the email contain spelling or grammar errors?
  • When was the email sent? Would that person normally send you an email at that time?
  • Does the email offer something too good to be true?
  • Are you being urged to act quickly?
  • When you hover over links, do they go to reputable websites? Do they go where you expect?

With a successful phish, a criminal can use U credentials/accounts as a pivot point to their ultimate target, even if that user doesn’t have access to confidential information like student or patient data. If cybercriminals gain access to the university’s IT systems and resources, they could potentially steal confidential information or deploy ransomware. IT security breaches can also harm the U’s finances and reputation, and the privacy of U students, patients, faculty, and staff.

“We're only ever as safe as our weakest link, so we’re reliant on everybody being cautious when they receive emails with links or attachments and reporting anything suspicious,” she said. “We all have to do our part to keep the university safe.”

If you ever have a doubt about an email, report it using the Phish Alert button. The ISO’s Security Operations Center (SOC) will examine the message, including any links or attachments, and email you back about its legitimacy. If other users received the same malicious email, the SOC will remove it from their inboxes, lowering the risk of someone else falling for the scam.

The same applies if you know for sure you’ve received a phishing email.

“Even if you believe it's a phish and you’re not going click on anything, please report it before you delete it [so the SOC can act accordingly],” she said. By doing this, you may save your colleagues and the university from a potential cybersecurity crisis.

Above all, Spehar said to trust your instincts.

“If you get an email and something tells you that it's not quite right, really listen to that voice,” she said.

Report phishing

If you receive a malicious or suspicious message in a university email account, please report it using the Phish Alert button. If your email client does not have the Phish Alert button, forward the email as an attachment to

Cybersecurity training

For more information about phishing, including common tactics and examples of recent attacks, visit the Phish Tank. For cybersecurity training, including a module on phishing, enroll in the Canvas course.