Our district recently purchased a service for phishing testing and we will begin work before the end of this month. If you have questions – drop me a note at firstname.lastname@example.org.
Q1. What is phishing?
A1. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Q2. What is phishing testing?
A2. It’s when fake emails are sent to users for training purposes. By sending out fake messages and attempting to get users to click on links, open attachments, and potentially give up passwords – we help identify users that need additional training for how to recognize fake emails that attempting to get access to your account.
Q3. So our own school district is sending out fake emails to try to “catch” staff members? Huh? Why?
A3. Yes, we are asking a company to send out fake emails to help us measure how well our staff are doing in determining if emails are fake or not. Phishing attacks are one of the largest and easiest ways for scammers to not only access your email account and computer – they are also using these methods to access to your personal accounts including online banking (if you’re one who uses your school password for your personal accounts).
Q4. Who are the messages being sent to: Staff or students? Both?
A4. At this time, we are only focusing on @wdmcs.org staff members.
Q5. When will it begin?
A5. We are starting right away in the month of April.
Q6. How often will it happen?
A6. We are aiming for once a month per staff member. Also, we will NOT be sending out phishing tests during the busiest times (end of the school year or start of the school year)
Q7. Will everyone in the district get the same emails?
A7. No. The emails will be sent at random times and only a number of staff members will get the same message. Over time, each staff member will see a variety of phishing examples/types.
Q8. When I get an email that I think is suspicious – what should I do with it?
A8. Please mark it as SPAM. Make sure the email is selected and then click the SPAM icon (the stop sign icon with an exclamation point). This will delete the email and notify Google to have the message reviewed.
Q9. What will the emails look like?
A9. We are not sharing what the emails will look like. However, they will be comparable to the standard phishing scams that you’ve seen before.
Q10. When exactly will they be sent?
A10. We will not be sharing exactly what will be sent or when it will be sent – instead, we are notifying staff that phishing testing will start in the month of April.
Q11. How will I know if they are fake or not? What guidance can you give me to help understand what might be fake?
A11. We recommend the following sites for helpful tips on identifying phishing scams:
Q12. Is someone keeping track of who falls for the phishing emails?
A12. Yes, the company we hired is monitoring the emails and they track what message types are sent to which users, as well as what users fall for the phishing messages.
Q13. If I fall for one of the phishing or fake emails – what happens?
A13. If a phishing message contains a link – and you click on the link, the next screen will identify that it is part of our phishing testing and it will point out the indicators and help explain why the message should have recognized as being fake.
Q14. Are their consequences? Will my supervisor be scheduling a meeting with me if I accidentally fall for one of the phishing emails?
A14. Initially, there will be no consequences, we are using the testing to find out how well our staff is doing at handling these types of email. If we find there’s a significant problem, we’ll then look at assigning online training to the individuals who need it.
Q15. By doing these phishing tests, are we asking teachers to do more work?
A15. No. We’ve always asked you to mark spam/junk mail when you see it – and this is no different. In fact, if you’re already good at spotting fake messages/junk mail, then nothing will change for you, you’ll end up deleting these messages and you’ll never have to worry about being asked to take additional training.