Our two phishing simulations for faculty and staff this spring showed great improvement in identifying phishing attempts.
The click-through rate (lower is better) for the first was under 7%, and the second was under 4%. These click-through rates easily beat the average of 11% across higher education. While even one user clicking on a phishing link (and accepting a Duo push) can lead to a breach, this low percentage is very good news.
An even more impressive trend is that the reporting rate (higher is better) for both of the spring exercises blew away the 9% reporting rate for other higher education users. Carleton’s reporting rate for the first exercise was nearly 34% — meaning one in three people correctly reported the simulation message using the Google report phishing tool — and for the second exercise, the reporting rate was 24%.
* Averages for 2021 are from Proofpoint “2021 User Risk Report”. Averages for 2022 and 2023 are from Proofpoint “2023 State of the Phish Report.”
These metrics demonstrate that our education efforts following the phishing incidents in December and January are improving our community’s ability to spot and properly report malicious emails. Let’s keep it up.
Properly reporting phishing
Properly reporting phishing is one way everyone can do their part to keep the Carleton community safe from scammers and hackers. The quicker a phish is reported, the more likely it can be removed from other users’ mailboxes before they see it.
For quick tutorials, check out: how to recognize a phishing URL and how to report phishing messages.
We perform four phishing simulations annually—two in the spring and two in the fall. Look for an announcement in Carleton Today in advance of the next exercises.
Have a great summer, and remain vigilant for malicious emails.