Why We Send Phishing Emails to Employees

 Why We Send Phishing Emails to Employees

Dear SLCC Staff and Faculty,

You may have received an email from the IT security office asking you to click on a link, enter your credentials, or download an attachment. This email was a phishing test, designed to simulate a real attack and assess your response. We conduct these tests periodically as part of our cybersecurity education and awareness program. In this email, we would like to explain why we do this and how you can protect yourself from phishing attacks.

Why We Send Phishing Emails

Phishing is one of the most common and effective ways that cybercriminals can compromise an organization's security. Phishing emails are designed to trick you into revealing sensitive information, such as your username, password, bank account details, or personal information. By doing so, you could expose yourself and the company to identity theft, fraud, malware infection, data breach, or ransomware attack.

To prevent phishing attacks, we need to educate and train our employees on how to recognize and report them. That's why we send phishing emails to employees as part of a proactive approach to cybersecurity. Here are some of the benefits of this practice:

· Identify Vulnerabilities: We can determine how employees respond to phishing attempts and identify areas where additional training is needed.
· Educate Employees: We can educate employees on the latest phishing techniques and help them recognize the signs of a phishing email, such as spelling errors, urgent requests, mismatched sender names and addresses, or suspicious links and attachments.
· Measure Effectiveness: We can measure the effectiveness of our current security training programs and adjust them based on the results of the phishing test.
· Promote Vigilance: We can keep security at the forefront of your minds and encourage you to be vigilant about suspicious emails. We also reward employees who report phishing emails to the IT security office.
· Compliance Requirements: We can meet regulatory and compliance requirements that mandate security awareness training and testing.
· Reduce Risk: Ultimately, we can reduce the risk of successful phishing attacks, which can lead to data breaches, financial loss, and damage to the company's reputation.

How Attackers Change Their Content

One of the challenges of phishing prevention is that attackers are constantly changing their tactics and content to evade detection and increase their chances of getting a response. They often use social engineering techniques to manipulate your emotions, such as fear, curiosity, greed, or

sympathy. They also use current events, trends, or topics that are relevant to your organization or industry to make their emails more convincing.

For example, during tax season, you may receive an email claiming to be from the IRS or your accounting department, asking you to verify your tax information or download a tax form. During compensation review periods, you may receive an email claiming to be from the HR department, asking you to update your salary or benefits information. During a pandemic, you may receive an email claiming to be from the health department, asking you to register for a vaccine or take a survey.

These are just some of the examples of how attackers can tailor their phishing emails to suit the context and timing of your situation. They may also use other methods, such as spoofing the sender's address, impersonating a trusted contact, creating fake websites, or using logos and graphics to make their emails look legitimate.

How You Can Protect Yourself

The best way to protect yourself from phishing attacks is to be skeptical and cautious about any email that asks you to do something unusual or unexpected. Here are some tips to help you spot and avoid phishing emails:

· Do not open or reply to emails from unknown or suspicious senders.
· Do not click on links or download attachments from emails that you are not expecting or that look suspicious.
· Do not enter your credentials or personal information on any website that you are not familiar with or that does not have a secure connection (look for a padlock icon and https in the address bar).
· Do not trust emails that use pressure tactics, such as threatening consequences, demanding immediate action, or offering rewards.
· Do verify the sender's identity and the email's authenticity by checking the sender's name, address, and domain, and by contacting the sender through another channel, such as phone or chat.
· Do report any phishing emails to the IT security office by using the ‘report phishing’ button in your email client or by forwarding them to help.desk@slcc.edu.
· Do take the security awareness training and phishing tests that we provide to help you improve your skills and knowledge.

We hope that this email has helped you understand why we send phishing emails to employees and how you can protect yourself from phishing attacks. We appreciate your cooperation and support in keeping SLCC secure. If you have any questions or concerns, please contact the IT security office via the help desk at help.desk@slcc.edu or (801) 957-5555.

Thank you,

The IT Security Office