Self-Phishing

The hard truth is that UBC is constantly being phished! Believe it or not, criminals track response rates and engagement statistics of their phishing campaigns so they can further target individuals who have already responded to a phish.

Self-phishing training helps employees better understand how they can quickly spot some of the most common types of phishing to avoid falling victim to their attacks and to report it quickly so that the Cybersecurity team can respond and block them as appropriate. The objective is to increase the reporting of phishing messages to security@ubc.ca and reduce success rates from the criminal’s perspective. Ideally, if we can make UBC "unresponsive" to criminals, then they will likely ‘move on’ to an easier and more responsive target.

The UBC Self-phishing initiative was approved by the Privacy and Information Security Management (PrISM) Executive Leadership Committee, and the UBC Executive.

Absolutely not. However, treat this as an opportunity to better prepare yourself for real phishing attacks.

Campaign results are kept confidential and the collected results for individuals will not be shared with anyone, including your manager or any of your co-workers. Information entered during the campaign, like usernames or passwords, is not retained and is not available for review by anyone including service operators.

The self-phishing campaign is ongoing. Unfortunately the criminals are constantly on the attack with new variations and techniques to their phishing messages. As long as those attacks continue, the self-phishing training campaign will be in effect, helping employees to stay informed and alert.

No. It is important to know how to spot a phishing email. It is just as important to report malicious emails to security@ubc.ca as soon as you realize you have received one, and not to rely on your co-workers to do this first. Swift reporting allows the Cybersecurity team to quickly mitigate the risk to UBC. The self-phishing campaigns are designed to mimic the real phishing emails that we see at UBC. By being part of the regular self-phishing exercises, you will see first-hand the tactics and tricks that the attackers use to try to convince you to click on a link or to give up your credentials. It is essential that everyone stays up-to-date on these and that everyone plays their part in thwarting an attack on UBC.

Please don't! What if the message that you think is a test phishing email from UBC is actually a real phishing email and you have just downloaded malware or given up your credentials? Always report suspicious emails by forwarding them as an attachment to security@ubc.ca. We would rather get 100's of the same report of a phishing test, than zero reports of a real phishing email.