“Vacation policy” - simulated phishing exercise to raise awareness of cyber fraud


Published: 14Jun2021

Each year McGill users receive thousands of fraudulent email messages requesting that they click a link or download a file – this is known as “phishing”. Many people fall victim and provide personal information, such as their username and password.

Last Tuesday, June 8, IT Services sent a simulated phishing email to all faculty and staff members, containing fake information about an “updated vacation policy”. It enticed recipients to click a link, which led to a page where they were prompted to enter their McGill credentials.

The message and web page were designed to look like legitimate communications, which is exactly how cybercriminals design their fraudulent phishing emails.

How did staff react?

  • A large majority did the safe thing – they either deleted or ignored the email.
  • Some recipients clicked the link within the email but realized it was fraudulent and did not go further.
  • A small number clicked the link and attempted to log in. In a real-life phishing attack this could have led to compromised personal information and systems.
  • Reassuringly, many reported the email to phishing [at] mcgill.ca, helping to keep McGill safe.

Those who clicked on the link will receive an email from Information Security to take recommended cybersecurity training.

Learn how to spot phishing and other cyber fraud

Protect yourself and your colleagues by learning more about cybersecurity best practices: Take McGill’s self-paced course, Cybersecurity Awareness Essentials. This informative series is comprised of 10 short videos that can be viewed at your convenience, with each video lasting no longer than five minutes. Don’t get caught by online fraud. If you do spot a suspicious email in your inbox, report it to phishing [at] mcgill.ca 

Back to top