IT Security – Simulated Phishing Email Campaigns

What Is Phishing?

Phishing is a cyberattack that attempts to trick individuals into handing over personal information to cybercriminals.

This information may include login credentials, banking details, credit card numbers, and other sensitive data. Phishing attempts typically arrive through emails or text messages.

Cybercriminals may pose as someone from Okanagan College, a trusted vendor, or a reputable company to convince you to click a malicious link. While the link may appear legitimate, its real purpose is to steal your personal information or install harmful software on your device.

What Is the Purpose of Simulating These Campaigns?

IT Security conducts simulated phishing campaigns to help strengthen cybersecurity awareness across Okanagan College. These exercises are designed to help employees recognize suspicious messages and become more vigilant when identifying potential threats.

What Happens if I Fall for These Simulated Phishing Emails? Will I Be in Trouble?

You will not be in trouble. These exercises are designed to help you learn how to recognize phishing attempts in a safe environment, without any real‑world consequences. Your participation and results are kept confidential from your coworkers and managers and are only visible to the IT Security team.

You’ll receive a notification letting you know that you clicked on a phishing simulation conducted by IT Security. You will then be sent a few short training videos to help reinforce how to spot suspicious emails. These training messages will come from notification@attacksimulationtraining.com, a legitimate Microsoft‑provided training service.

Report or Verify Phishing Emails

Reporting suspicious emails helps us identify potential threats and protect the entire Okanagan College community from phishing attempts and malware.

How To Report Phishing Emails:

These steps are the same for the New, Classic, and Online version of Outlook.

1. Open Outlook and go to your Inbox.
2. Select the suspicious email (do NOT click links or attachments).
3. On the top ribbon under the Home tab, click the Report button.

4. A confirmation box will appear, select Report to finish.

How To Verify if an Email Is Phishing:

If you are unsure whether an email is malicious or not, please forward it to ITSecurity@okanagan.bc.ca and we will confirm that for you as soon as possible.

Recognizing Phishing Emails:

Imagine that the email below has just arrived in your inbox. Before scrolling down to see the answers, take a moment to review it and see if you can identify any signs that it might be a phishing attempt.

Did you catch them all? These indicators are explained in more detail below:

Check the sender's email address:

• Always check the sender’s email to confirm it is from a legitimate source.

"CAUTION" banner:

• This banner indicates that the sender is from outside of Okanagan College and should be treated with extra caution. Never provide personal information, passwords, or make purchases from these emails.
• Always watch for this banner, especially if an email appears to come from Okanagan College. This banner will never appear on internal emails. However, even if the banner is not present, it is still important to stay alert for other signs of phishing, as an internal account could still be compromised.

Generic greetings:

• Phishing emails are usually sent in large batches. To save time, cybercriminals use generic names like "Hi Student" or "Hi Professor" so they don't have to type out names. Be skeptical of such emails.
• Keep in mind, more sophisticated phishing attempts can use your real name along with more information about you such as your job title and place of employment. This is known as spear-phishing.

Poor grammar and misspellings:

• Phishing emails often have poor grammar or misspellings.

Emails that ask for personal information:

• Legitimate companies will never ask for personal credentials via email.

Urgent action required:

• Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information - Right Now!

Fake links and suspicious attachments:

• Always check where a link is going before you click on it. You can hover over a link with your mouse to see the actual URL.
• If you are unsure if an email is legitimate or not, it is best to avoid clicking on the link altogether. Instead, open your web browser and go directly to the website yourself.
  • For example, if you receive an email claiming you need to log into your bank account and it includes a sign‑in link, do not click it. Instead, open your browser, type in your bank’s official web address yourself, and check there to confirm whether the message is real.
• Make sure the email is legitimate before clicking on or downloading any attachments.

Unsolicited emails:

• Be wary of unsolicited emails, especially those asking for personal information or urging immediate action.

Additional Common Questions:

Can I click on the link to see what happens?

No. These simulations are intentionally designed to resemble real phishing emails as closely as possible, and there is still a significant chance that what you’ve received could be an actual phishing attempt. Please report it by following the steps outlined in the Report or Verify Phishing Emails section above.

Can I opt out of these emails?

No. Unfortunately, cybercriminals continue to get more sophisticated, and the tools they use to create convincing malicious emails are improving as well. That’s why it’s essential to stay up to date with regular training to stay ahead of the curve.

What are some good resources to learn more about phishing?

If you would like to learn more about phishing, Microsoft has an informative article that you can view here.

If you have any questions or concerns regarding our phishing campaigns or phishing emails in general, please send us an email at itsecurity@okanagan.bc.ca and we will get back to you as soon as possible.