On Monday 24 February 2025, the Information Security Group (ISG) conducted a simulated phishing test across all’UCL staff to raise awareness about email security and phishing threats, and support our compliance obligations. The test involved sending an email that appeared to come from IT service, alerting recipients about an "unusual sign-in attempt" to their Microsoft account. The message urged users to click a link to review their recent activity. Once clicked, the link led to a simulated phishing page where individuals were prompted to enter their UCL email and password. Those who entered credentials were immediately redirected to an educational training page designed to help them recognise and prevent real phishing attacks in the future.
Phishing can happen to anyone - Practicing together makes us better prepared!
If you interacted with the phishing email or even entered your credentials, don’t worry - this was a learning opportunity, not a real attack. Phishing emails are increasingly sophisticated and can deceive even the most security-conscious individuals. UCL uses numerous technical tools to reduce the chance that phishing emails reach your inbox, but no technical solution is perfect. The purpose of this simulation is to help staff stay one step ahead of cybercriminals by recognising suspicious patterns early and building confidence in how to respond safely. Learning from such simulations reduces the risk of falling victim to actual cybercriminals in the future.Why do we conduct phishing simulations?
Phishing remains one of the most significant cybersecurity threats today, accounting for a large percentage of security breaches worldwide. These attacks do not just steal login credentials - some also deliver malware, ransomware, or exploit access to sensitive data. There are various types of phishing attacks, including:- Email phishing - Fraudulent emails that impersonate legitimate services to steal credentials.
- Spear phishing - Targeted attacks against specific individuals or departments.
- Vishing (voice phishing) - Scammers calling employees and, for instance, pretending to work for IT support.
- Smishing (SMS phishing) - Phishing via SMS messages or WhatsApp.
By conducting simulations, we can test our awareness, refine our security protocols, and build a more resilient organisation against such attacks.
What should you pay attention to in future emails?
To stay safe, keep the following tips in mind when handling emails:? Check the sender’s email address - Is it from a trusted UCL domain?
- Look for inconsistencies - Are there spelling errors, urgent language, or unusual requests?
? Hover over links before clicking - Does the URL domain match the official/legitimate organisational website, e.g. microsoft.com?
- Be cautious with attachments - Unexpected files can contain malware.
? Report suspicious emails - If you are unsure, forward the email to phish@ucl.ac.uk for verification or click the "Report" button in Outlook.
UCL’s ongoing efforts in phishing awareness
As part of our commitment to cybersecurity, we will continue sending annual phishing simulations. These exercises will help ensure that our staff remain vigilant and well-informed to identify and respond to phishing threats effectively. By improving our collective awareness, we can better protect our data, intellectual property and the whole UCL community.Survey findings
The ISG collaborated with researchers from the Department of Security & Crime Science to invite you to respond to a survey on UCL’s cybersecurity education and training program. More than 2,000 of you completed it! We’re truly grateful to everyone who participated. Here, we share some of the key insights we’ve gathered so far:A) Risk Awareness : Participants showed a strong awareness of the risks associated with phishing and other social engineering attacks. This is a positive sign, although awareness alone doesn’t always prevent people from being deceived-especially when attackers pose as trusted individuals.
B) Self-efficacy : The results also show that participants feel confident in their ability to handle IT security challenges. This self-belief is key to encouraging secure behavior, as it increases the likelihood of people taking initiative and following best practices.
C) Training Response : Feedback on the simulation training was overwhelmingly positive. Most participants were engaged and rated the experience highly, suggesting the training was both effective and well received.
Compromise rates:
View these results in a more accessible format (Excel)We are pleased with the results of the simulation. The majority of users read the message, and a substantial number chose to delete it - an encouraging sign of cautious behavior. While 2,509 users clicked the link and 746 (under 4%) entered credentials, these numbers remain relatively low compared to the overall user base of 18,919. The low number of replies and forwarded messages also indicates that the phishing attempt did not widely circulate further. Overall, the findings suggest a growing level of awareness and attentiveness among our community.
Our team will continue analysing the results in the following weeks.
Thank you again and please do reach out to sarah.zheng.16@ucl.ac.uk if you have any questions or feedback on the study. The ISG and colleagues across the academic community will continue learning from this work to help strengthen UCL’s defences against cyber threats.
Results in Detail:
Results for Risk perceptions:
Across all participants, we observed a relatively high perception of risk regarding social engineering attacks such as phishing emails. These findings are consistent with previous research, which suggests that individuals generally recognise the dangers associated with phishing. While risk perception is an important foundation for IT security awareness, it does not necessarily guarantee that employees will avoid falling victim to such attacks - especially as cybercriminals often impersonate credible roles that may not be immediately recognised. Nevertheless, the results are a positive indication that a general level of awareness is present.Self-Efficacy:
Participants in the study demonstrated an above-average level of self-efficacy, indicating that they generally feel confident in their ability to manage and respond to IT security-related challenges. High self-efficacy is a critical factor in proactive behavior, as individuals who believe in their capabilities are more likely to take initiative, follow best practices and persist in the face of potential cyber threats. This finding suggests a strong foundation for fostering secure behavior in the workplace, as self-efficacy is closely linked to the willingness to engage with training, apply learned strategies, and resist manipulation attempts such as phishing. Overall, the elevated self-efficacy levels are a promising indicator for the success of ongoing and future cybersecurity awareness initiatives.Reactions to the training measure:
The distribution indicates that participants responded very positively to the simulation training exercise. Most individuals reported mean scores near the top of the scale, suggesting a high level of acceptance and positive emotional response. Only a small number of participants showed lower scores, indicating that negative emotions were rarely triggered. Overall, the results suggest that the simulation was well-received and created a constructive and engaging learning experience.- University College London, Gower Street, London, WC1E 6BT (0) 20 7679 2000