JMU undertakes phishing education campaign

In November 2023, JMU employees and affiliates received one of three simulated scam email messages (known as “phishing” messages) in their JMU inbox. The three messages either offered a reward of a dining voucher, offered the chance to win a prize for completing a coffee survey or warned of a suspicious login to their account. These messages were part of a harmless exercise to train members of the JMU community on the potential risks of phishing and to teach them to identify phishing messages. Campaigns of this type are regularly used by educational institutions and large corporations to assess potential risks from real phishing activity.

Each of the messages in JMU’s recent exercise contained either a link or a QR code that ultimately directed the recipient to an educational website. Of the 5,429 messages delivered to JMU inboxes, recipients visited the link or QR code 815 times. This “click” rate suggests that educational programs such as the campaign, security awareness training, RunSafe training, and other communications and reminders about phishing are important strategies to mitigate the threat to the university posed by phishing attacks. JMU also employs email protection services to prevent phishing messages, spam, or messages containing viruses and malware from being delivered to JMU email accounts.

Scammers increase their efforts to fool unsuspecting email recipients at times when the public is most vulnerable.  As we enter the holiday season, it is especially important to stay vigilant for online scams. Commonly seen phishing in previous holiday seasons includes fake package-delivery notifications (often warning of delays), fraudulent charity fundraising campaigns, bogus sales on hot items or other popular gifts, seasonal job offers, and more.

The simplest ways to identify phishing messages are:

1. Examine the sender’s address. Is it from someone you know or a domain you trust?
2. Examine links in the message. Do they point to a legitimate website, and do they point where they claim to point? You can examine links by hovering over them to reveal the underlying address.
3. Consider what is being claimed or offered. Does it create a sense of urgency?

For more detail on these and other tips, here are some great resources to read/bookmark:

• Identitytheft.gov (an FTC website)
• FTC Consumer Advice on Recognizing and Avoiding Phishing Scams
• CISA Phishing Recognition Video
• CISA Blog: Avoiding Social Engineering and Phishing Attacks

If you receive a phishing message in your JMU inbox, please report it by forwarding it as an attachment to abuse@jmu.edu. You may contact the IT Help Desk at (540)568-3555 for assistance in verifying the authenticity of an email message you have received.