JMU Undertakes 2025 Phishing Exercise

In April, JMU Information Technology (IT) engaged in an email security exercise designed to educate the community about email scams, known as "phishing".

What was the exercise?

The exercise involved delivering one of two simulated phishing emails to over 6500 employees and affiliates. One of the messages claimed to be from the JMU voicemail system and asked recipients to click a link to listen to a new message. Another version claimed to be sent from the “President’s Office” and instructed recipients to complete a form to receive a payroll disbursement. If the recipient clicked the link in either message, they were directed to a fake Microsoft login screen and asked to enter their credentials. If credentials were provided, respondents were given information about how the potential scam could have been identified, and they were also directed to JMU’s Phishing Education web page. 

What is the purpose?

Phishing exercises or simulations are commonly used by large organizations like JMU as an important part of educating everyone about the risks posed by phishing scams to individual accounts and institutional data.

What were the results?

JMU's recent exercise was successful in multiple ways.  First, the majority of JMU recipients did not click the links or provide credentials during the exercise. If you were among this group, JMU IT thanks you for your vigilance!  Second, those who did not identify the messages as phishing were provided educational resources.  If you were among the latter group, please use this as a learning opportunity and explore additional resources such as JMU’s RunSafe training and LinkedIn Learning. 

What to do if you receive a phishing message

If you receive a phishing message, please report it by forwarding it as an attachment to abuse@jmu.edu.  If you require assistance in determining whether a message is legitimate or not, please contact the IT Help Desk at (540)568-3555. 

Thank you, 
Information Technology