Anti-Phishing Education: Simulated Phishing Rules of Engagement

If you are planning to provide anti-phishing education through self-phishing in any U-M unit, you must abide by the U-M rules of engagement below.

  1. Approvals
    1. Unit senior leadership (including unit Human Resources) must approve the self-phishing campaign, which includes understanding that these IA guidelines must be met.
    2. IA must be made aware of, review, and approve the campaign, including reviewing the scenarios to be included in emails.
    3. ITS and/or HITS email teams must be included well before test messages are scheduled and sent to allow for support and planning.
  2. Communication
    1. Affected community members must be informed, before the campaign starts, that the anti-phishing activities will be taking place and that they will be participants.
      Recommendation: This communication comes from unit leadership.
    2. The ITS Service Center, IA, and IT support staff must be prepared for responses and inquiries.
  3. Training
    1. Anti-phishing training should be offered BEFORE and AFTER the self-phishing campaign.
    2. Self-phishing campaign emails should be reviewed and approved by IA.
  4. Participation and Results
    1. Training and self-phishing results are not to feel punitive.
    2. Individualized training and self-phishing results are not shared with anyone but the participant unless approved by unit senior leadership and IA.
    3. Incentive for participation should be provided if feasible.

Contact IA for consultation, reviews, and approvals through the ITS Service Center.

These U-M campuses have conducted self phishing in accordance with the rules of engagement: