Phishing Test Conducted Last Week

Last week, OIRT (Office of Information Resources & Technology) conducted a phishing simulation as part of our ongoing cybersecurity awareness training. These simulated emails were designed to help employees recognize and respond to potential phishing threats. The test was comprised of five unique emails sent out in equal distribution to all Staff and Faculty.

Overall, results fell short of prior performance and expectations. While many employees eventually recognized the emails as phishing, few correctly reported them. If you sent an email to UTAC or contacted UTAC directly, that was incorrect. If you emailed another individual, that was incorrect. If you deleted the email but took no further action, that was also incorrect. If you clicked on the red shield Report icon in Outlook or Outlook on the web, or used the Report text option from the mobile dropdown on your cell phone—congratulations! You helped the university identify and stop a potential phishing scam.

All instances where a member of the community did not recognize the phishing email and entered the requested data came from one of two test emails that appeared to come from a trusted source whose name was spoofed. This is an extremely common tactic used by bad actors. Read the information below to improve your skills in identifying and reporting phishing and “quishing” (QR code-based phishing) emails. Our community is the first line of defense in protecting the university—and the first line of attack for cybercriminals.

How to Identify Phishing Emails

To protect yourself and university data, always be on the lookout for these common phishing red flags:

✅ Suspicious Sender – Check the email address carefully; cybercriminals often use addresses that look similar to legitimate ones.
✅ Urgent or Unusual Requests – Be cautious of emails pressuring you to act quickly, such as changing passwords, verifying accounts, or sending sensitive information.
✅ Unexpected Attachments, Links, or QR Codes – Hover over links before clicking to verify the destination. Be extremely cautious with emails containing QR codes—scanning a malicious QR code could lead you to a phishing site or trigger a malware download.
✅ Poor Grammar & Formatting – Many phishing emails contain spelling errors, odd formatting, or unprofessional language.
✅ Mismatched URLs – A hyperlink might display one address but direct you to another. Always double-check URLs before clicking.
✅ Unfamiliar Login Pages – Never enter your FDU network credentials (username and password) on any site not affiliated with the fdu.edu domain. Always ensure you’re logging into official FDU services. If you’re unsure, contact UTAC before proceeding.

What to Do If You Suspect a Phishing Email

• Do not click any links, scan QR codes, or download attachments.
• Do not reply to the sender or provide any personal or company information.
• Report it – Follow the reporting instructions provided on this IT webpage:

Ongoing Phishing Simulations – Stay Vigilant
Phishing tests are mandated by law at least twice yearly. OIRT conducts phishing simulation tests throughout the year to help ensure employees remain aware of potential cybersecurity threats. Phishing attacks can happen at any time, so always stay alert, especially when receiving emails that request sensitive information.

Additional Training for Phishing Simulation Participants
Any users who failed the phishing simulation by clicking on a malicious link, entering credentials, or otherwise engaging with the simulated phishing email will be invited to take additional cybersecurity training. This training is intended to build awareness and strengthen our overall security posture. If you receive an invitation, complete the training as soon as possible.

Cybersecurity is a shared responsibility, and your vigilance helps keep our organization safe.

See also