May 28, 2019

Did you avoid the lure of FileDrop or were you phished in May?

Find out how UCalgary did in the recent phishing exercise and how to avoid a phish
University of Calgary

University of Calgary

Between May 6 and May 10, 2019, IT Security and Architecture delivered a phishing exercise to 10,000 random emails. The results were surprising. Five hundred of the 10,000 emails were clicked (they were phished), while the other 95 per cent either immediately deleted the email or reported the phish.

Richard DeBruyne, director of security and architecture for Information Technologies says, “This phish is considered a Class 2 exercise, which means it was relatively easy to spot. We will do other exercises at various points throughout the calendar and academic year utilizing a Class 3 phish. It will be more challenging, and indicative of a real phish by a cyber criminal.”

To the 95 per cent who identified the phish and did not click — nicely done. You are helping to keep you and your colleagues safe.

Report every phish

IT would like to recognize all those who reported the phish via the junk mail tool in the Outlook navigation bar (see image above right), or attached the phish and sent it to If you believe an email may be a phish, report it through either of these two methods. Every report aids IT in improving the effectiveness of email filtering and further protecting UCalgary.


Report phishing when you see it.

Report phishing when you identify it.

How to spot a phish

For the five per cent who did click on the phish, you now have a great opportunity to learn how to be cybersecure. Carol Williams, lead risk and compliance for IT, shares the simple diagram (image below) of two areas that were suspicious in the phishing exercise, as a place to start.

However, there are many clues in a phish and those two areas may look just fine in a real phish. DeBruyne states, “The single item that will give a phish away is the link. Roll your mouse over it and make sure it is what you expected. And if you are unsure, don’t click. You have every right to ignore any email that looks like a possible phish.”

If it is a real email, and you do not click on the link, someone will definitely follow up with you, especially if it is important. Williams adds that we all need “to become our own security expert, self-aware and self-protective!”

Cybersecurity is all of our responsibility. By taking care of your own cybersafety, you are also helping to ensure the safety of everyone on campus. For further information, visit

Image removed.