Phishing Simulation and Training

If you just clicked on a link and expected to see a feedback survey, then you may have failed our most recent phishing simulation. Please do not inform other non-IT staff as this is a live simulation to help improve awareness.

Don’t worry!

This exercise is here to help us all become more vigilant. No one should feel ashamed of being tricked by a scam, it can happen to anyone.

Phishing attempts are becoming increasingly sophisticated, and no one is exempt from being the target of one. Be cautious with unexpected emails, especially those requesting personal information, login credentials, or urgent actions. If something feels off, trust your instincts – verify face-to-face with the sender or report it to IT.

Below you can find more information to help you avoid malicious attacks including a breakdown of the phishing simulation and an informational quiz. We strongly recommend that all staff put aside some time to carefully read the information on this page to help protect Highfields and build a stronger security culture. 

Highfields IT Team

Let’s analyse the simulation

1. The email address – In this case the email address isn’t displayed in full but you can still view it by clicking on the name. You will see the actual email is -amarsh@ and it is marked as a distribution group.

2. Spelling – Most people should notice the spelling mistake at the very start of the email. Bad spelling is not always an indicator of a phishing attempt but combined with other factors it should make you more suspicious.

3. The link – By hovering over the link we can see the URL is https://grabify.link/E7ZQKU. This does not immediately sound like a survey website and should make you suspicious. If you want to confirm the legitimacy of a link you can search for the website in a browser. In this instance, we find out that ‘grabify’ can be used to create links that steal information from people who click them.

4. Unusual wording – Although more difficult to spot, the wording of the email can be another indicator. The most obvious example is the signature, where they are unusually formal and use the full name of the person they are impersonating.

5. Signature – This email is also lacking an automatic signature. Many staff use the automatic signature feature of Outlook to add important information like contact details to the end of all their emails. They also help to make your emails unique and stand out from phishing attempts impersonating you. Be suspicious if you receive an email from someone without an automatic signature who normally does use one.

Conclusion – While this phishing simulation is not very technically complex, it is still very dangerous. These types of phishing attempts can fool vulnerable people but more often they trick people who are complacent or dismissive. Too many people assume that “I would never fall for a scam” but statistics prove otherwise. Vulnerable people are always at a greater risk of being scammed but no one is completely safe from being targeted by them.

The best way to combat scams and stay safe is by keeping your cyber security knowledge up to date and doing refreshers like this one.

What does Phishing mean and why does it matter?

Phishing is a type of online scam where criminals try to deceive you into giving away sensitive information like passwords, credit card numbers, or personal details. The most common types pretend to be from legitimate sources – such as banks, large businesses, friends, or even your own organisation. These messages usually try to create a sense of urgency or fear, urging you to click a link, download an attachment, or provide confidential information without thinking.

While many instances of phishing are one-off scams, they are also used to find vulnerabilities in a organisation during large-scale targeted cyber attacks. Schools are not an uncommon target for hackers because they store lots of sensitive personal data and are often more vulnerable than larger businesses.

Reliably being able to spot phishing attempts is our first line of defence against cyber attacks.

How can I spot Phishing?

  • Be wary of unsolicited emails. If you receive an unexpected email, especially one asking for personal information or urgent action, take a moment to evaluate its legitimacy.
  • Check the email address. Phishing emails often use addresses that look similar to legitimate ones but may have small differences. For example, support@paypa1.com instead of support@paypal.com.
  • Don’t click links or open attachments. Avoid clicking on links or opening attachments in suspicious emails. If you are uncertain, you can always hover over a link with your mouse to show the URL, test it now. Remember that a fake link might try to imitate the URL of the real website but with small and easy to miss differences.
  • Look for spelling and grammar errors. Some phishing emails contain poor spelling or grammar. Legitimate companies proofread their communications, so errors can be a red flag.
  • Beware of urgent requests. Phishing emails often create a sense of urgency, asking you to act quickly. Take a moment to pause and consider whether the request seems reasonable or expected.
  • Never share personal information. Legitimate organizations will not ask for sensitive information like passwords or contact information via email. If you receive such a request, contact the sender through a known, trusted method.
  • Report suspicious emails. If you suspect an email might be phishing, don’t ignore it. Report it to administrator@highfields.derbyshire.sch.uk. Even if you have already clicked a link or responded and don’t realise until much later, please notify us as soon as possible.

Further Resources

The resources below provide further reading and training to anyone interested. We highly recommend that anyone who failed the simulation should use the Jigsaw quiz to improve their knowledge. You can also contact the IT team with any questions at administrator@highfields.derbyshire.sch.uk

Jigsaw Phishing Quiz – a short quiz made by Google. It gives you believable examples of phishing attempts and explains how to spot them. (HIGHLY RECOMENDED)

Cyber Security for Schools – A website full of resources made for schools to improve their cyber security by the National Cyber Security Centre. This has a lot of resources but we HIGHLY RECOMEND looking at the NEN Cards which summarise some of the most important facts.

BBC Scam Safe Week – a collection of resources and information gathered by the BBC as part of their recent Scam Safe Week. Recommended if you want more resources about how to stay safe or how scams work. Includes an A-Z of types of scam and a scam safe quiz.

Cyber Security Breaches Survey – A survey by the UK government last year on the cyber security of businesses. Between 32%-69% of businesses recorded a breach or attack in the last 12 months, and 11%-37% of business have experiences cyber crime in the last 12 months.

Stop! Think Fraud – A UK government campaign to raise awareness with fraud. This website contains lots of information about frauds, why you might be vulnerable, and how to help.

Contact Us

Lower School

Starkholmes Road
Matlock
Derbyshire
DE4 3DD

T: 01629 584020

Upper School

Upper Lumsdale
Matlock
Derbyshire
DE4 5NA

T: 01629 581888