Phishing scams are a leading cause of incidents and breaches in the education sector. Motivated by financial gains, cybercriminals primarily target personal information and account credentials. As part of CU’s phishing awareness program, OIS sends simulated phishing emails to all employees each month in an effort to help you be successful in recognizing phishing tactics and red flags when receiving a suspicious email.

What is phishing simulation?

Phishing simulation involves periodically sending “phishing” emails to employees. The simulated phish may appear to come from an IT department, Microsoft Teams or Zoom, or vendors we use for services or supplies. Those who inadvertently respond to a simulated phish will receive an immediate response in the form of an educational page that highlights the red flags in that specific phish example.

These simulated scams are completely safe and there are no negative consequences if you mistakenly reply to a simulated phishing message. The Office of Information Security will not share responses from individual employees or students with anyone else. The focus of the output is on aggregated statistics about response rates and no further information will be shared.

Will my manager be told if I open a link or attachment contained in a simulated phish?

No. The goal of the phishing simulation process is educational and not punitive.  As such, the results are confidential and only information security staff will have access to the details regarding which users responded to the messages.  This information may be used to better target which emails are sent and which training materials are presented, as well as the potential for information security staff to reach out directly to individuals for follow-up. 

How will the information be collected and used?

The information security staff will provide summary information of the results to a variety of oversight and governance groups.  These summaries will include information like response rates for different user populations (a campus, school, department, etc.) to help inform decisions on training and awareness as well as demonstrate improvements over time.  In addition, customized reports are available for departments that would like to view overall statistics about how well they are doing.

I’m a manager at CU and I’d like more information on how my department reacts to simulations. How do I get more information and what can you tell me?

To learn more about your department’s handling of the simulated phishing, please contact Those in leadership roles may request a summarized report for their area.  The Office of Information Security will not provide departments with information on specific individuals. To preserve confidentiality, we will not provide data for departments that are so small that a summary might provide insight into individual responses.