Anatomy of a Phish: April 2025 Phishing Simulation

In April 2025, we conducted another phishing test to evaluate our organization’s resilience against phishing attacks. This test was one of the more challenging tests we have sent, yet it provided valuable insights into our cybersecurity awareness. Out of 512 recipients, 178 failures occurred from the phishing test.

We are incredibly thankful to the 103 individuals who reported the phishing email. We are aware of issues some with the “Phish Alert Button” during the time of this test and have since taken steps to correct these issues.

Reporting phishing emails, even if you fail the test, is crucial for our institution’s cybersecurity. It allows us to quickly identify and mitigate potential threats, protecting our organization and its members from harm.

Below, we outline the key indicators from our test that everyone should be aware of:

Ambiguous Salutations: Be cautious of generic greetings like “Hello” or “Dear user.” Legitimate emails from our organization will usually address you by name (not in this particular test, but please be aware of this common indicator).

Sense of Urgency: Phishing emails often create a sense of urgency to prompt immediate action. In our test, the email urged recipients to click on a link to listen to a Teams branded voicemail.

Hover Over Links: Always hover over links to check if the URL matches the site it claims to be. In our test, the link provided did not lead to an official Microsoft site. This was the main red flag for this test, which tells us this is a behavior that we need  to improve.

Spelling/Grammar Errors: Watch out for spelling and grammatical mistakes. Although not shown in our test email, errors like these are common in phishing attempts.

Suspicious Sender Address: Even if the sender’s address appears to be from our organization, it could be spoofed. Always verify the sender’s email address carefully.

By staying alert and recognizing these red flags, we can better protect ourselves and our organization from phishing attacks. Remember, if something feels off, it’s always better to double-check before taking any action and please help our organization’s information security by utilizing the “Phish Alert Button”.