The value of phishing simulations

Learning what triggers us, and how to resist temptation

Phishing simulation exercises are like fire drills for cyber security. Over the last few years IT Services has begun sending out fake emails to the McGill community, designed to pique your interest or raise an emotional response, tempting you to click on a link and divulge your McGill credentials – exactly the way real cybercriminals design their fraudulent phishing emails.

These types of exercises are conducted in many institutions, both private and public, with the objective of improving our collective cyber security resiliency.

Why we conduct phishing simulations:

  1. Practice - As the McGill community becomes more skilled at identifying basic phishing attacks, we will also heighten our awareness to respond appropriately to more sophisticated phishing attempts that cyber attackers are continually developing.
  2. Reflection and learning - This is an opportunity to reflect and recognize triggers that are commonly exploited: Are we in a rush at the time of reading the email? Does the email use a tone of urgency, or entice us by promising rewards?
  3. Government mandate - McGill’s executive leadership team sponsors this initiative, and governmental directives mandate that such exercises be conducted regularly for all our user community.
  4. Gauge our need to reinforce training- By targeting large samples of users during these cybersecurity awareness campaigns, our Information Security team can obtain data to gauge the efficiency of our cybersecurity awareness initiatives and improve phishing detection and reporting skills across the McGill community.
  5. Cybersecurity learning extends beyond the university - Learning to spot and report phishing emails is not only useful to protect your McGill IT assets; it is also a skill that is applicable in daily life, as cyber attackers also target individuals and their personal data.

Results from recent simulation exercise (June 2021)

Pie chart showing responses, as described below

In June, McGill conducted a phishing simulation exercise with academic and administrative staff members. It contained a fake link, supposedly to a secured document, requiring the recipient to sign in to access. Out of the 17,521 recipients, approximately 19% clicked the fake link and 12.4% of them proceeded to enter their McGill credentials on the fake login page. 5% reported the email as potential phishing by calling the IT Service Desk or via phishing [at] (the recommended action when you receive a suspicious email). McGill's overall response was slightly worse than the average for similar educational institutions.

On a positive note, we observed that McGill departments that routinely provide cybersecurity training for their employees exhibited better than average responses: 6.7% clicked and 4.1% logged in.

Key takeaways

There are clear benefits to running phishing simulation campaigns to build awareness and improve the university's response. However, we are continually learning and assessing our impacts on the McGill community, and we will be adjusting our approach for future simulations as a result of your feedback.

Are phishing simulations ethical? Yes, but they should heed the existing organizational culture and circumstances. On the one hand, to be effective as training exercises, simulations should mimic real-life phishing as closely as possible. On the other, although cybercriminals have no moral filter when devising their deceptions, in designing simulations we must be mindful of recipients’ feelings and not use scenarios that prey on their anxieties.

Your feedback

Let us know how you feel about our simulated phishing exercises:
Take our 2-minute survey

IT Services would like to close by reminding you that cyber safety is a journey that each of us embarks on while traveling within our broader McGill journey as student, researcher, academic or staff.

Back to top