BSD UCM Phishing Email Assessment and Prescriptive Education Initiative
Globally, over 15 million phishing attacks are launched, with 80,000 users falling victim to the attacks each day. The emails often appear to be sent by legitimate businesses or from employees within the organization and often bypass email filters. Recently, it was announced that the University of Washington Medical Center (UWM) incurred a $750,000 penalty from the Office for Civil Rights (OCR) for a breach that started with a phishing email attack.
Phishing has become one of the most common methods by hackers to steal sensitive information, compromise computers, and hold personal files hostage for ransom. Most security breaches happen not because of super-sophisticated hacker attacks, but because everyday people fall to phishing attacks.
To reduce the risk posed by phishing attacks, the Biological Sciences Division and University of Chicago Medicine Information Security Offices have launched a Phishing Email Assessment and Prescriptive Education initiative that will provide tools and education to employees on how to detect and deal with these types of phishing emails.
Here is how the Phishing Email Assessment and Prescriptive Education initiative will work:
- The Information Security Offices will intentionally send out test phishing emails similar to those sent by hackers.
- Once you recognize the email as a phishing scam, do not click on any links and report the email.
- If you click on the link, you’ll see a notification message from the Information Security Offices and will be enrolled in an Anti-Phishing Computer Based Training.
Access the training at
BSD employees: Login with your CNetID and password.
UCM employees: Login with your UCHAD and password.
*UCM employees with both a CNetID and UCHAD should login with your CNetID and password.
Results of this phishing test will be kept anonymous, and supervisors will not be permitted to see the results.
If you have any questions, please contact the Organization’s Information Security Offices.
|BSD Information Security Officefirstname.lastname@example.org|
|UCM Information Security Officeemail@example.com, or by phone #2-3456|
Frequently Asked Questions
Q1. I received an email about training and phishing emails. What is this all about?
A1. The UCM and BSD Information Security Offices have launched a Phishing Email Assessment and Prescriptive Education Initiative to raise awareness on phishing emails and increase your knowledge of spotting a phishing email. The email contains instructions on how to access training.
Q2. Why are the BSD and UCM Information Security Offices sending “test” phishing emails to employees?
A2. Every day, more than 15 million phishing attacks are launched around the world, and 80,000 email users fall victim to these attacks. This initiative will show you first-hand how easy it is to fall for a phishing attack. The “test” phishing emails are sent to reduce the risk of cyber-attacks and the loss of sensitive information, and avoid possible regulatory fines and penalties by providing immediate training to those who click on the links within the test emails.
Q3. How can I opt-out of receiving the “test” phishing emails and participating in the Phishing Email Assessment and Prescriptive Education Initiative?
A3. This initiative was sanctioned and approved by a variety of leadership throughout the BSD/UCM, including: Dean Polonsky, Sharon O’Keefe, executive leadership of both the BSD and UCM, shared Cyber Security Governance committees, BSD and UCM HR, and the University and UCM Legal Offices, and will include all employees at this time. The purpose of this initiative is to raise our organization’s awareness of phishing email scams and provide training to all employees.
Q4. How do I access the “Anti-Phishing Training?”
A4. You can access the training either from clicking on the training link from the BSD Information Security Office’s webpage at http://security.bsd.uchicago.edu/phish/ or by going directly to https://uchicagomedicine.securityeducation.com. You will be asked to enter in their CNet or UCHAD credentials to log into the training system. (Note, if you have both a CNetID and UCHADID, you will have to use your CNet credentials to log on.)
Q5. I cannot sign in with my UCHAD credentials. Why not?
A5. If you have both a CNetID and UCHADID, you must log into the system with your CNet credentials.
Q6. Do I have to view the training video?
A6. No. This training is not mandatory, but it is recommended in order to increase your awareness of phishing emails.
Q7. What if I start watching the training video and do not complete it?
A7. That is okay. You can always go back to https://uchicagomedicine.securityeducation.com and finish watching the training video at your convenience. You can pick up where you last left off.
Q8. I received a suspicious-looking email that I think was sent as part of this campaign. Should I delete this email? Should I report the email to the Information Security Office?
A8. You are always encouraged to report any suspicious email to the Service Desk or Information Security Office before replying or clicking on any links. It is safe to delete the email.
Q9. What will happen if I opened the email, but did not click on any links?
A9. Nothing. You can simply delete the email. You should not click on the link in the email.
Q10. I hovered my mouse over the link in the email, and the URL looks suspicious/weird. What should I do?
A10. Nothing. One of the ways to identify a real phishing email is to hover (but not click) your mouse over the link within an email to see what URL you would be directed to if you were to click on the link. You can now delete the email.
Q11. What will happen if I clicked on the link in the email?
A11. The link in the phishing email is harmless and nothing will happen to you or your computer. The Information Security Offices will be tracking how many employees click on the link, but not who clicked. You will be sent an email that contains instructions on how to access the training video.
Q12. Will I be reported to my manager if I clicked on the link?
A12. No. Managers will have no knowledge of who clicked the phishing email link.
Q13. I clicked on the link and was re-directed to the BSD Information Security Office’s webpage (http://security.bsd.uchicago.edu/phish/). Now what do I do?
A13. Employees are instructed to follow the link on the BSD webpage to access training: https://uchicagomedicine.securityeducation.com
Q14.I received a training email from firstname.lastname@example.org. What is this?
A14. Employees will receive an email from email@example.com when they click on the phishing link. The email will provide instructions on how to access the training video to reinforce how to identify a phishing email.
Q15. I already watched the training video, so why do I need to watch another video?
A15. This additional training video is used to reinforce how to spot a phishing email and is only assigned to employees who click on the “test” phishing email sent as part of this initiative.
Q16. Is this training mandatory?
A16. No. This training is not mandatory, but is encouraged. Managers will have no knowledge of who has/has not completed training. The Information Security Offices will only be tracking how many employees have watched the training videos to gauge the effectiveness of training.