Phishing attacks are a regular occurrence for every higher education institution and ensuring awareness to these risks is vital to protecting institutional and individual systems and data. ITS has conducted a quarterly simulated phishing program in accordance with best practice and at the request of the Joint Audit and Compliance Committee (JACC). For two years, we have been sending simulated messages to UConn faculty and staff that mimic the types of phishing threats we see on a regular basis. If the recipient clicks on a link in one of these messages, they are directed to a webpage with phishing awareness information.
When the program began in October 2020, we collected aggregate and not individual results. However, the overall failure rate has been persistently higher than expected, with several quarters exceeding 10%. We have been asked by the JACC to reevaluate our approach. In response, we are increasing the frequency of tests from quarterly to monthly and will start collecting and retaining individual failure results. ITS will use the more granular data to focus awareness training. These changes will commence with the next round of tests later this month.