Phishing and other kinds of fraudulent or deceptive outreach efforts are ramping up in terms of frequency and stealth at Cornell. So the IT Security Office is working to help the community learn to better identify and report suspicious email.

Every quarter, through a simulated phishing attack, suspicious messages will be distributed across Cornell email accounts by the IT Security Office. Please use the PhishAlarm tool to report these messages.

All Employees Participate 

Don't be alarmed when you receive phishing messages as part of these simulations. You are not considered to be more vulnerable to attack than your peers, co-workers, or supervisors. All faculty, staff, researcher, and other academic community members --including temporary employees-- with a cornell.edu email address will be active in the simulation program, even our executives.

Cornell's phishing simulation program is similar to those conducted by other prestigious universities where fraud attacks frequently target environments rich in complex financial systems and abundant in intellectual property found in research and learning environments.

Expect a Challenge

The phishing simulation will distribute messages that appear to originate from a variety of senders. The simulated emails will be based on actual phishing attempts aimed at university employee email accounts, particularly those that 'almost' worked in the past.

These simulations will provide an evidence-based understanding of how Cornell employees perceive and respond to phishing risks. That will guide the university and the IT Security Office on security strategy improvements and defenses. This means some of the challenges will be more obvious and others will be very subtle.

Non-punitive, Meant for Education

There is no grade of A+ for identifying and reporting every simulated phish, and there are no punitive actions if you 'fall' for a simulation. These simulations are being run solely to help employees learn more about phishing and to reveal to the IT Security Office which types of phishing attacks are most likely to be successful in our community.

If a particular campaign proves difficult for Cornell employees to successfully identify, the IT Security Office may send additional messages to augment training in that style of attempted fraud.

Why Now? Phishing Attacks Don't Take Vacations

Bad actors continue taking advantage of rapidly evolving technologies. Leveraging these developments with society's growing tolerance for providing private data in web-based applications and AI-driven devices, criminals can now rapidly harvest personal data and turn it into increasingly authentic-looking conversational, marketing, and threatening content.

Fraud and phishing attacks never take a day off. In fact, holidays, academic breaks, and popular vacation weeks often serve as launch pads for many successful attacks. Because phishing --and the fraud that drives it-- now form the single greatest threat to personal and business security and digital privacy, the IT Security Office will run phishing simulations throughout the year. You may see a simulated phishing message at minimum of once a quarter.

Individual Bricks for Strong Walls

Cornell's IT security tools block thousands of phishing messages each week, but some of the new and repurposed campaigns evade those defenses. Asking each community member to help identify and report suspicious messages turns each of us into an individual brick, forming a strong wall of defense against these types of attacks.

Thank you for helping create a digital fortress around Cornell's people and resources. If you'd like more information about phishing and other cyber threats, see the IT Security website.

If you have concerns or questions about the phishing simulations, please contact Cornell's IT Security Office at itsecurity@cornell.edu.