Phishing simulation to gather data, educate and raise awareness

A simulation being conducted through March will provide Central Michigan University’s Office of Information Technology with important data about phishing. 

According to SANS Institute — an online organization committed to strengthening online security — phishing is a pinpoint attack against a subset of people with the goal of mining passwords or personal information like social security or credit card numbers.

The simulation targets a large number of willing participants comprising faculty and staff.

According to an OIT press release, participants are sent emails by OIT resembling those of a scammer. OIT will track responses and actions taken by recipients and use that information to determine how people react to phishing attempts, and how phishing awareness initiatives can improve.

Usernames and passwords are not stored. However, susceptible participants are provided resources on how to avert a genuine threat. 

“The goal isn’t to trick people into falling for this, but it is being used to understand,” said Kole Taylor, communications manager of OIT. “We are going to be (simulating) what the scammers do.”

Phishers target a person’s sense of urgency and feed off of that fear, Taylor said. Access is gained by embedded links and the release of confidential information. 

The counterfeit emails can also target a person’s direct deposit, tax forms (UW2), passwords and linked accounts. 

According to OIT’s webpage, CMU students, faculty and staff can avoid phishing emails by noticing improper verb conjugation, spelling mistakes, generic terminology and performing a “skeptical hover,” a technique of mousing-over a link to make sure it will send recipients to a webpage they are familiar with.

Allowing a phisher access to a CMU email or account can cause a cascading effect, compromising linked accounts. Because of this, users should be careful using a university email as a recover or primary email. 

If ever skeptical, Taylor said people should contact the IT desk or report it to before responding or interacting with an email. 

More information and phishing examples can be found online at

This crime is not specific to CMU. It is an infestation every organization and person with an electronic account system must examine and treat, Taylor said.

CMU may seem targeted at an excessive degree since its population of individual online accounts is proportionally large, Taylor said.

There are no places of reference or comparable statistics from other universities. Taylor said March’s simulation will establish a baseline from which the university can compare future studies.

“Phishing has always been around, but it is always on the rise,” Taylor said. “It is a lucrative business.” 

The simulation is part of a larger security initiative taking place over the next couple years, Taylor said. The obligation came from an internal security audit. 

In the future, OIT plans to perform simulations with student participants.