Skip to content

Duke Health pilots simulated phishing

From Feb. 10-13, the Duke Health Information Security Office (ISO) conducted an authorized simulated phishing campaign for all Duke Health users.  

The phishing email was designed as a Valentine’s Day scam, aimed at getting users to click on a link to view a Valentine’s Day e-card. This phishing campaign closed with a 36 percent click rate, meaning that more than one-third of Duke Health users clicked on at least one of the links in the email. Users who clicked got immediate feedback and information about the dangers of phishing.

About 5 percent of the Duke Health community reported the phishing email as suspicious using the “Report Phish to Duke” button.  The button (in all Outlook email clients) sends the suspicious email to Duke’s security teams for analysis. When users report an email that is part of the simulated phishing program, they receive a message assuring them that it was part of a simulated campaign.  

Duke’s IT security offices offer the following tips to help fight phishing:

  • Be suspicious if an email is urgent, comes from an unknown sender or makes an unusual request.
  • Treat links in emails from unknown senders with caution.
  • Verify any request for money or gift cards independently before any transaction is made.
  • Remember that Duke will never ask for your password via email.
  • If you aren’t sure an email is safe, report it using the Outlook “Report Phish” button.

Duke Health will continue to perform simulated phishing exercises. Any Duke Health or university departments interested in increasing their phishing awareness and resiliency can email for more information about the program.