UNH Phishing Awareness Program

January 14, 2020

by UNH IT Staff


UNH is a gold mine of personal data, and that’s why we are an attractive target for aggressive phishing attacks. The best way to prevent phishing attacks is to empower individuals with the knowledge and training needed to identify phishing emails and handle them safely. 

Over the past two years, UNH increased its efforts to educate UNH students, faculty, and staff on how to identify, avoid, and report phishing attacks by launching an awareness program. This program includes in-person presentations to UNH departments, the introduction of The Phish Bowlan online Canvas training course, and outreach at the last two University Days. The phishing awareness effort also includes periodic phishing simulations, which are designed to mimic real phishing attacks and give UNH community members a realistic experience in a safe and controlled environment. 

Industry Studies 

One study in the healthcare industry found a user’s susceptibility to falling for a phishing email to be about 16.7% or 1 in every seven emails. This study also determined that susceptibility decreased when users continued to receive phishing simulations. Another 2015 study found three email simulations dropped susceptibility rates by almost 50%. 

UNH Experience

The UNH IT Phishing Awareness Program produced favorable results for employees. Since its launch for employees in fall 2017, the program decreased susceptibility: 

  • Compromised Data Entry: 82% decrease in credential entry 

    • What this means: phishing emails often try to trick recipients into entering their username and password on a fake website, thus capturing these credentials, During the first year of the program, the number of faculty and staff entering credentials decreased by 80% and has remained consistent.
  • Malicious attachments: 50% decrease in susceptibility 
    • What this means: many phishing emails include malicious attachments. Throughout this program, the number of faculty and staff who opened malicious attachments decreased by 50%.

Timing Matters

Across all campaigns, the first 4 hours of an attack are the highest risk for user susceptibility, which is why reporting is so essential. The sooner we all report phishing attacks, the faster UNH IT can post to the Phishbowl and spread the word. 

Over the life of the phishing awareness program, employee reporting gradually increased by 30% over the first simulation, where UNH IT tracked the number who reported the email to the most recent campaign. 


In fall 2019, students received communication about UNH phishing awareness efforts before receiving their first simulated phishing emails.  In the first simulated phishing attack against students:

  • 8% of all students clicked on the link included in the fake phishing message
  • 3% entered their credentials 

While these numbers are relatively favorable, when you consider the size of the student body, 3% equates to more than 650 students who provided their credentials.  Additionally, it became clear students don’t know what to do when they receive an email they suspect is phishing. To address this, UNH IT will launch a student-centric phishing awareness push during the spring semester. 

Bookmark and Share