Information Security

Simulated Phishing Training for staff at University of Edinburgh

University of Edinburgh Staff can expect to receive fake Phishing Emails in a new immersive training process

We have all seen news reports about organisations suffering data breaches – just think about the recent WannaCry attacks.  One of the most common ways for attackers to gain unauthorised access to organisations is through phishing emails, where recipients are asked to open an attachment or click on a website link.  When one of these emails arrives in our inboxes, we are just a click away from compromising the University's security.

Being able to spot these emails for what they are makes us all an integral part of the University’s information security controls.  To help everyone understand how to recognise this attack method, we have launched an immersive phishing simulation program.

How does the simulation work?

The Information Security team will periodically send out simulated phishing emails that imitate typical attacks.  These emails are designed to give a realistic experience in a safe and controlled environment.  They will allow the recipients to become more familiar and resilient to the tactics used in real phishing attacks.

The simulations will look no different than any other email, with a number of them being based directly on phishing attempts made against the University in the past.


What if I get click on a training email? 

There will be no penalty for anyone not spotting these emails and if you do click on a link or open an attachment, there will be no harm done.  You will however be asked to review some training material that explains the dangers of real phishing emails and how to spot them.

As the program progresses you should be better at spotting phishing attacks, both at home and in the workplace.

Remember: The next one may not be a training simulation.


What to do if you receive a Simulated or Real Phishing Email

Although your first instinct is likely to be to delete or ignore suspicious emails, we ask that you report them to the IS Helpline.  If you've received a phishing email, the chances are your colleagues across the University have too.  By reporting suspicious emails, we can all help keep our systems and data safe.



As of now, the University will be running a simulated phishing email awareness program.  By being proactive and helping everyone learn how to spot and report potentially dangerous emails, we can keep ourselves and the University safer.