Information Security: UW System Phishing Email Simulations

Summary

UW System phishing simulation email messages starting July 2022.

Body

The University of Wisconsin System Administration has a system-wide phishing awareness education program in which simulated phishing email messages are sent to all faculty and staff in the UW System.

May 2025-Stats

UWRF had less than 1% click rate on this month's phishing campaign!


Phishing Simulation Explained:

Breaking Down the Phishing Attack

The phishing simulation was sent to all University of Wisconsin-River Falls employees including student employees.

Here is a copy of the simulated May phishing message that was sent. You can find indicators in each that help identify it as a phishing message.

Spot the Spoofed Email Address

Checking the email address is one of the best ways you can tell if a message is a phishing attack. By inspecting the email address, you can see it is not from zoom.com. The email name is spoofed to show up with the name “Zoom,” but the actual email address goes to <zoom.notification@internalitsupport.com>. When compared, a real email is from Zoom has a domain of <@zoom.us>.

Call to Actions

The button “Enable ZoomAI” is meant to tempt you into clicking, which in practice would lead to a fake login page or malware.

Legitimate companies don’t roll out features without prior notice or context. If you are not familiar with the service being offered, you can always google/search their website and try to find the info independently of the link in the message.

Look for Errors!

Scammers often have slight misspellings to attempt getting past email security filters.

For example, you can see a grammar mistake with “We’ve turned AI on it's head” this is an incorrect use of “it’s” instead of “its.”

Phishing emails often have small grammar or style issues that legitimate companies would catch.

Report any branded email that has errors as that is likely a phishing attack.

Fake Physical Address

The Zip code listed in the email does not match the real zip code of Zoom HQ.

Report as Phishing

Keep in mind for any email you receive and always be suspicious of unexpected messages. You were not expecting this message. Don’t let their urgency cause you to act without thinking.

While DoTS is able to block the vast majority of malicious messages it is possible for phishing attacks to slip through, so you need to be careful.

By reporting the message, you are helping us keep everyone safe. Nothing bad happens by reporting a message as phishing. If you aren’t sure something is safe, please let us know by using the Report Message feature in Outlook and selecting “report phishing.”

 

 

March 2025-Stats

This grid shows each entity and the percent of recipients that clicked on the links in the phishing email.

UWRF ranked #9. (Click to enlarge the photo)Uploaded Image (Thumbnail)


Phishing Simulation Explained:

Breaking Down the Phishing Attack

The phishing simulation was sent to all University of Wisconsin-River Falls employees including student employees.

Here is a copy of the simulated March phishing message that was sent. You can find indicators in each that help identify it as a phishing message.

(Click to enlarge the photo)

Uploaded Image (Thumbnail)

Spot the Spoofed Email Address

(click to enlarge)

Uploaded Image (Thumbnail)

Checking the email address is one of the best ways you can tell if a message is a phishing attack. By inspecting the email address, you can see it is not from linkedin.com. The email name is spoofed to show up with the name “LinkedIn,” but the actual email address goes to <linkedin@linkedincdn.com>. When compared, a real email is from LinkedIn with the address <notifications-noreply@linkedin.com>.

Go Directly to the Source

The email is meant to make you click out of curiosity and potentially excitement that your profile is being viewed. They are attempting to lull you into trusting the branding in order to get you to interact.

Look for Errors!

Scammers often have slight misspellings to attempt getting past email security filters. For example, you can see here that there are multiple misspellings of the brand name. A quick glance may miss this, but they have LinkedIn written as both “Linkedin” and “Linkdin.”

There are several other errors including the lack of punctuation for the word who’s as “whos” and the footer of the message includes a suspicious location with the listed address being at “1000 West Bogus Plaza, Pseudoville, NA.”

Report any branded email that has errors as that is likely a phishing attack.

Report as Phishing

Keep in mind for any email you receive and always be suspicious of unexpected messages. You were not expecting this message. Don’t let their urgency cause you to act without thinking.

While DoTS is able to block the vast majority of malicious messages it is possible for phishing attacks to slip through, so you need to be careful.

By reporting the message, you are helping us keep everyone safe. Nothing bad happens by reporting a message as phishing. If you aren’t sure something is safe, please let us know by using the Report Message feature in Outlook and selecting “report phishing.”

  • Phish rate: 0.55%
  • Phish rate compared to other UW institutions: Top 50%

The Email

Uploaded Image (Thumbnail)

 

  • QR codes in emails can be a red flag. It is wise to avoid scanning them altogether if you did not ask for it to be sent to you. Legitimate messages will typically give you alternatives to scanning a QR code.
  • The email is not a UWRF or Microsoft address.
  • There are misspellings/grammatical errors including “Were,” “Please ensure follow the instructions carefully,” “Micrsoft,” and “gude.” Do keep in mind that, just like using real branding, a lack of misspellings does not mean the message is safe. Scammers are using AI to craft convincing emails in multiple languages.
Uploaded Image (Thumbnail)

 

Details

Details

Article ID: 145823
Created
Mon 8/15/22 5:32 PM
Modified
Tue 6/17/25 11:49 AM