Introduction
Virginia Tech provides a monthly Phishing Education program available for department enrollment. This article outlines the program's features and benefits, details the enrollment process, and includes links to additional information and training opportunities.
Instructions
Table of Contents
What is the Phishing Education program?
The Phishing Education Program at Virginia Tech is a monthly initiative designed to enhance awareness and experience with phishing attacks. This program is managed by the Division of IT and is available for department enrollment at Phishing Education Program. The program includes monthly scenarios that simulate phishing attacks, providing hands-on training to help participants recognize and respond to real phishing attempts.
Why are programs like these important?
Phishing attacks in the education sector have increased by 47% since 2022. The education sector is reported to be the most targeted by these attacks1. The best defense against phishing attacks involves a multi-layered approach combining technical solutions and human vigilance. Regular training (like this program) helps develop the “human vigilance” part by training individuals to recognize phishing attempts and understand how to respond.
The program aims to improve security awareness, measure the effectiveness of cybersecurity training, and foster a strong security culture within the department. By participating in this program, departments can reduce their risk of data breaches and other cyber threats.
What are the features of the program?
Each month on a randomly selected day, all employees of an enrolled department will be sent a simulated phishing attack. Their response will be recorded. If any participant clicks on any links within the email or provides credentials, they will be required to do a short training on phishing. This training will have a due date, and the simulation is considered ongoing until the training due date has passed.
The results of the simulation will be provided as a report to the Organizational Unit admin (OU admin) who signed up the department for the program or, if that individual is no longer an OU admin, a different OU admin associated with the department. The program reporting is non-user specific. An example of a report is shown in Figure 1. A description of the columns is provided in Table 1. This report will be provided, at a minimum, 9 days after the simulation has concluded.
Figure 1: Sample report
Table 1: Column descriptions
| Compromised | This reports on the number of simulations that were failed completely. If the scenario was a "credential phish," compromised would mean a link click AND credentials were entered. If the scenario was a drive-by URL, then a link click would be the only action needed to be considered compromised. Value can be empty or ("--"). |
| Assigned Trainings | This is the total number of training courses assigned to all individuals in your department. Value can be zero. |
| Completed Trainings | This is the total number of assigned training courses completed. Value can be zero. |
| Training Status | This is the status of the training course(s) assigned to the user. Values are Completed/In progress/Not started/No value ("--") |
| Phishing Reported On |
This is the date and time the simulation email was reported by the individual as a phish. Value can be empty or ("--"). |
What is the process to sign up a department for the program?
OU admins can request to enroll at Phishing Education Program. They must fill out a request for each department in their OU they wish to enroll, because the request must be approved by the associated dean, director, department head, or alternate approver.
How do I get more information?
You can request a consultation at CCS Services Consultation.
What are other training opportunities offered?
This article, How to Protect Yourself from Phishing Attacks, has some useful information about phishing attacks including other training opportunities.