Most of us know that we should be wary of opening emails that invite us to open a link, but sometimes our fingers react faster than our brains and before you can say phishing scheme, you have opened that treacherous link and fallen hook, line and sinker for some cybercriminal.

were you caught out?



Géna Thompson is a business analyst in the Academic and Office Solutions division of the IT department.

The latest cybersecurity awareness drive is available in an online training portal format that staff members can work through whenever it suits them. The training material theme is "Staying cyber safe at home," and includes phishing content since it remains crucial that everyone can identify a potential phishing email.

On 11 February, the NWU’s IT department deliberately sent out a “phish” to establish how vulnerable our staff – and therefore the university – are to these schemes.


eish! spoke to business analyst Géna Thompson about IT’s Phishing Email Awareness campaign.


Q: First of all: what is a phishing email and what is a phish?

A: A phishing email is a type of email where criminals impersonate legitimate organisations in an attempt to steal personal information, such as your login credentials.


The word “phish” refers to a phishing email that incorporates trackers and reports our staff members’ interaction with this email.


Q: Why was it necessary to launch the Phishing Email Awareness campaign?

A: The purpose was to establish how vulnerable we are as an institution through employees interacting with potential phishing emails. We also wanted to know if further training and cybersecurity awareness campaigns were needed to safeguard us against cybercriminals.


Although our department has methods to protect staff members from phishing emails, a few do reach their email boxes, so it is essential that they are able to identify a phishing email. If you click here, you will see the phishing email that we sent to staff, and also find a few tips on how you could have spotted that this was not a legitimate email.


Q: What were the results of sending out these emails?

A: total of 4 966 emails were sent to staff members, and in the first hour 209 users opened the email and clicked on the test phishing email link. This shows how quickly an attack can spread throughout the network. Ultimately 799 users opened the email and clicked on the link by the time the campaign ended a week later.


Q: If people opened the email, what happened?

A: In this specific case nothing happened when staff members just opened the phishing email. However, when they clicked on the email link, it was possible to track that and identify them. These staff members were then directed to our Phishing Email Awareness campaign page that contains online training material. Of the 799 users, 226 completed this online training.


Q: What will the consequences be if a phishing attempt succeeds?

A: There can be enormous financial implications for staff personally, or for the university.


When a hacker accesses a staff member’s bank account information, the person’s personal funds may be stolen. A phishing attack could also infect the NWU network with ransomware, which is a form of malware that encrypts files. The attacker then demands a ransom to restore access to the data.


From a single click, criminals can also identify the operating systems and web browsers used on user devices. For example, 22 users who clicked on the link were running vulnerable versions of Firefox, which can be exploited in follow-up attacks.


Q: Are you satisfied that the campaign was successful?

A: We would of course have preferred to find that not a single staff member clicked on the email link – something that is very unlikely. The campaign has however provided us with valuable information and made us realise that we need to continue educating staff on identifying phishing emails and on the dangers of these emails.