Skip to Main ContentSkip to Footer
University of Memphis Logo
ApplyVisitEventsNewsGiveumMailMyMemphis

Information Technology Services

Phishing Simulations

Since 2024, ITS has administered regular phishing simulations to assess the vulnerability of our community to email scams. Phishing simulations enable us to observe how our email users respond to potentially fraudulent emails, including attempts to gain unauthorized access to accounts, steal personal information, and exploit members of our community.

What is phishing?

Phishing is the act of using deceptive methods (like fake emails) to get private information, money, or unauthorized access from a victim to conduct inappropriate or fraudulent activities. Read more about phishing and how to recognize it.

 

What is a phishing simulation?

A simulated phishing email appears to be a normal message containing common suspicious elements that should indicate it is not legitimate. However, the email was sent from the UofM IT Security team using a fake email address. A user who clicks on a link in a simulated message will be directed to a webpage that informs them about the simulation and provides tips on how to spot phishing scams in the future.

Phishing simulation info webpages will never require you to log in or click a link, and UofM employees will never ask for your password.

 

What happens if I click multiple simulated phishing emails?

To further reinforce the importance of identifying and avoiding email scams for users who experience repeated simulation failures, users who fail three or more phishing simulations will be assigned a brief training session focused on phishing. This will be in addition to annual security awareness training and must be completed within 30 days to maintain uninterrupted access to your account.

 

Why does the UofM conduct phishing simulations? Are you trying to trick me?

Our goal isn’t to trick anyone; quite the opposite! Our hope is that our users will become so savvy at identifying red flags that our phishing simulation click rate drops to zero. 

Organizations worldwide, including the University of Memphis, are bombarded with thousands of cyber attacks daily. This includes phishing attempts sent directly to faculty, staff, and students. ITS works continuously behind the scenes to ensure the security of our community’s technology resources. However, with more than 20,000 active accounts, each UofM account holder must maintain personal security to keep our systems and everyone’s data safe. 

Phishing simulations offer insight into how users respond to real-world phishing attempts, enabling us to identify those who may be more susceptible to attacks. Since regular testing began, the overall rate of users opening fraudulent links has decreased significantly.

 

How can I spot phishing simulation emails?

Simulated phishing emails appear to be identical to real scam emails. In fact, we often use real emails reported by our users as templates for simulations. For tips to recognize phishing, visit our phishing webpage or follow the links on our Security Orientation page. 

 

When I think I’ve received a phishing simulation, can I click the link to see if I’m right?

Don’t do that! Never click links or attachments from unknown or unexpected senders unless you’re able to verify their legitimacy. 

When you report a simulated phish using the Phish Alert Button, you’ll receive a notification that you spotted it and passed the test. Way to go! 

Regardless of the reason for clicking a link in a simulated phishing email, it will be counted as a failure and added to your total. After three failures, you will be required to complete additional training. 

 

I clicked a link in a phishing simulation that someone forwarded to me.

Phishing simulations are unique to each user. If you click on an email addressed to someone else, it will register as a failure for that user, not you. Please forward the email you clicked to itsec-training@memphis.edu and report the error so a failure isn’t attributed to the recipient. 

 

How can I ensure that the emails I send don’t look like phishing?

Here are some tips to avoid seeming suspicious and getting your email reported or ignored: 

  • Do not use your personal email account to conduct UofM business. Emails regarding UofM business, classes, opportunities, etc., should only be sent from memphis.edu addresses. 
  • If you use a vendor to manage a service that sends emails on your behalf, see if it’s possible to send those messages via a memphis.edu address. Contact the ITS Service Desk for assistance with email whitelisting. 
  • Avoid tracking services that mask the destination URL of links in your emails. 
  • When possible, avoid including links to unfamiliar or unexpected websites in your emails. If users need to log in to a non-UofM website or app, create a webpage on the memphis.edu website with information about the service and a link to the third-party login page from there. It’s easier to trust links published on our website than in an email. 
  • Never send unexpected attachments or file-sharing links. Inform the recipient that the file is being sent, including how it will be shared and the sending address. If possible, upload the file to your UofM OneDrive and share it from there. 

 

I have questions or concerns about phishing or training that are not addressed here.

Submit an online request or email the ITS Service Desk at umtech@memphis.edu.