Phishing test: Did you catch the suspicious OSD email?

In the last month the Technology Department “Phish” tested our district staff with the following email. It probably looks very familiar, as the minute it went out our Help Desk and the Communications department received many alert calls about its suspicious nature.

Copy of email sent to staff as test phishing exercise: Email reads: To all employees, As part of ongoing efforts to maintain regulatory compliance we have updated our password policy and we need everyone to check their password immediately to ensure it meets our minimum security requirements. Please click here to do that: Check Password link. Please do this right away. Thanks! Email was sent from

We sent this message to determine a baseline risk potential for our district, as well as determine a need for further phishing training. Based on the results, we did fairly well as a district, coming in below the typical industry standard score of an organization our size. We had a “Phish Prone” score of 22.8% compared to the industry average of 27.7%.

Stats showing results of phish test to 1380 recipients: 1374 delivered, 970 opened, 271 clicked, 42 data entered

Specifically in this message we measured whether or not a user opened the message (which is completely fine), clicked on the link, and if clicked, entered information. The information above is what was used to calculate our score. Based on our responses and score, we plan to provide more phishing education for you in the future, as well as occasional tests to measure our progress.

In this email, there were four items that recipients should have looked for:

  1. The sender and domain. Often times phishers can “spoof” (fake) domains so that emails look authentic. Even if the domain looks correct, is the user someone you are familiar with?
  2. The subject line is trying to convey a sense of urgency.  Phishers often try to take advantage of urgent situations to get you act before you think through the situation clearly.
  3. The email is directing you to click on or open a link. Urgent emails directing you to click or open something should be a warning that more inspection is warranted.
  4. When you mouse over/hover the link, the URL doesn’t match. Typically when you hover over a link, in the browser window you will see the URL (web address). If the URL does not sensibly match the sender or content of the email, this should be a warning.

Copy of phishing email sent to all staff with commentary on what to avoid in specific email categories, including: Email domain is spoofing a popular website or well-known organization; sense of urgency (Example: do this now); Tells you to click a link or open an attachment; Hover over the link. Link does not take you to the site the email content says it will.

Phishing emails are not going away and our automated filters will occasionally let some pass through. If you encounter an email that you feel is suspicious, but are not sure, contact the Help Desk at Ext. 6172 and they can provide guidance.

For more information related to Phishing and Social Engineering, this video from Google for Education is a great place to start. Stay Safe from Phishing and Scams