Simulations are used to train astronauts and health care workers, so why not faculty and staff faced with stressful decisions? New phishing simulations to be run quarterly by the Cornell IT Security Office have been designed to help faculty, staff, researchers, and other employees more easily identify and report suspicious emails. They will also give the security team valuable information about which attacks are likely to be successful in the community.

"Our primary goal is to help educate community members to spot social engineering attacks, specifically phishing emails," said Bobby Edamala, Cornell's Chief Information Security Officer. "Social engineering attacks can circumvent many of our controls if a community member is tricked into giving up their credentials or other information."

A variety of technical controls already limit the number of fraudulent messages entering Cornell's digital environment. When new attacks infiltrate those defenses, Cornell employees are the best positioned to defeat them, if they know what to look for.

Email fraud often attempts to mask itself as a threat, a plea for help, or a communication from a trusted co-worker, friend, or boss. These malicious, suspicious, and impersonation messages have become more sophisticated, thanks to the prevalence of generative AI writing tools. Happily, most Cornell employees are adept at identifying them, and phishing messages are now easier to report with the new PhishAlarm button in Cornell Outlook or Gmail email readers.

Report Suspicious Emails with PhishAlarm

Edamala said, "If you suspect an email might be a simulated phishing email, report it as you would any other suspicious message: use the PhishAlarm button in your email reader or forward the message to the IT Security Office. Again, the goal of our simulation is to help educate the Cornell community in spotting suspicious messages. These simulations will not result in punitive action against anyone who does not identify nor report them."