Understanding the Phishing Education program


Introduction

Virginia Tech provides a monthly Phishing Education program available for department enrollment. This article outlines the program's features and benefits, details the enrollment process, and includes links to additional information and training opportunities.

Instructions

What is the Phishing Education program?

The Phishing Education Program at Virginia Tech is a monthly initiative designed to enhance awareness and experience with phishing attacks. This program is managed by the Division of IT and is available for department enrollment at Phishing Education Program. The program includes monthly scenarios that simulate phishing attacks, providing hands-on training to help participants recognize and respond to real phishing attempts.

Why are programs like these important?

Phishing attacks in the education sector have increased by 47% since 2022. The education sector is reported to be the most targeted by these attacks1. The best defense against phishing attacks involves a multi-layered approach combining technical solutions and human vigilance. Regular training (like this program) helps develop the “human vigilance” part by training individuals to recognize phishing attempts and understand how to respond.

The program aims to improve security awareness, measure the effectiveness of cybersecurity training, and foster a strong security culture within the department. By participating in this program, departments can reduce their risk of data breaches and other cyber threats.

What are the features of the program?

If your department has enrolled, then each month on a randomly selected day, you will be sent a simulated phishing attack. If you click on any links within the email, you will be required to do a short training on phishing. Your response will be recorded, but no identifiable information will be reported. The program reporting is non-user specific. An example of a report is shown in Figure 1. A description of the columns is provided in Table 1.

Phishing Education Program Report

Figure 1: Sample report

Table 1: Column descriptions

Compromised This reports on the number of simulations that were failed completely. If the scenario was a "credential phish," compromised would mean a link click AND credentials were entered. If the scenario was a drive-by URL, then a link click would be the only action needed to be considered compromised. Value can be empty or ("--").
Assigned Trainings This is the total number of training courses assigned to all individuals in your department. Value can be zero.
Completed Trainings This is the total number of assigned training courses completed. Value can be zero.
Training Status This is the status of the training course(s) assigned to the user. Values are Completed/In progress/Not started/No value ("--")
Phishing Reported On

This is the date and time the simulation email was reported by the individual as a phish. Value can be empty or ("--").

How do I sign up my department for the program?

Organizational unit admins can request to enroll at Phishing Education Program. You must fill out a request for each department you wish to enroll, because the request must be approved by the associated dean, director, department head, or alternate approver. 

How do I get more information?

You can request a consultation at CCS Services Consultation.

What are other training opportunities offered?

This article, How to Protect Yourself from Phishing Attacks, has some useful information about phishing attacks including other training opportunities.