If you are planning to provide anti-phishing education through self-phishing in any U-M unit, you must abide by the U-M rules of engagement below.
- Approvals
- Unit senior leadership (including unit Human Resources) must approve the self-phishing campaign, which includes understanding that these IA guidelines must be met.
- IA must be made aware of, review, and approve the campaign, including reviewing the scenarios to be included in emails.
- ITS and/or HITS email teams must be included well before test messages are scheduled and sent to allow for support and planning.
- Communication
- Affected community members must be informed, before the campaign starts, that the anti-phishing activities will be taking place and that they will be participants.
Recommendation: This communication comes from unit leadership. - The ITS Service Center, IA, and IT support staff must be prepared for responses and inquiries.
- Affected community members must be informed, before the campaign starts, that the anti-phishing activities will be taking place and that they will be participants.
- Training
- Anti-phishing training should be offered BEFORE and AFTER the self-phishing campaign.
- Self-phishing campaign emails should be reviewed and approved by IA.
- Participation and Results
- Training and self-phishing results are not to feel punitive.
- Individualized training and self-phishing results are not shared with anyone but the participant unless approved by unit senior leadership and IA.
- Incentive for participation should be provided if feasible.
Contact IA for consultation, reviews, and approvals through the ITS Service Center.
These U-M campuses have conducted self phishing in accordance with the rules of engagement:
- Michigan Medicine. Michigan Medicine began offering anti-phishing training using simulated phishing in 2018. The training is being gradually rolled out department by department. See Simulated Phishing Emails at Michigan Medicine.