IT Security: Simulated Phishing Email Campaigns

What Is Phishing?

Phishing is a cyberattack that attempts to trick individuals into handing over personal information to cybercriminals.

This information may include login credentials, banking details, credit card numbers, and other sensitive data. Phishing attempts typically arrive through emails or text messages.

Cybercriminals may pose as someone from Okanagan College, a trusted vendor, or a reputable company to convince you to click a malicious link. While the link may appear legitimate, its real purpose is to steal your personal information or install harmful software on your device.

What Is the Purpose of Simulating These Campaigns?

IT Security conducts simulated phishing campaigns as part of our mandatory cybersecurity awareness program for all employees at Okanagan College. These exercises are designed to help employees recognize suspicious messages and become more vigilant when identifying potential threats.

What Happens if I Fall for These Simulated Phishing Emails? Will I Be in Trouble?

You will not be in trouble. These exercises are designed to help you learn how to recognize phishing attempts in a safe environment, without any real‑world consequences. Your participation and results are extremely valuable to help us assess the potential likelihood and impact of real threats, and it enables us to refine and optimize how we deliver cybersecurity awareness training.

You’ll receive a notification letting you know that you clicked on a phishing simulation conducted by IT Security. You will then be sent a few short training videos to help reinforce how to spot suspicious emails. These training messages will come from notification@attacksimulationtraining.com, a legitimate Microsoft‑provided training service.

Report or Verify Phishing Emails

Reporting suspicious emails helps us identify potential threats and protect the entire Okanagan College community from phishing attempts and malware.

How To Report Phishing Emails:

These steps are the same for the New, Classic, and Online version of Outlook.

Open Outlook and go to your Inbox.
Select the suspicious email (do NOT click links or attachments).
On the top ribbon under the Home tab, click the Report button.
A confirmation box will appear, select Report to finish.

Button for reporting phishing emails in Outlook with the confirmation window underneath.

How To Verify if an Email Is Phishing:

If you are unsure whether an email is malicious or not, please forward it to ITSecurity@okanagan.bc.ca and we will confirm that for you as soon as possible.

Recognizing Phishing Emails:

Imagine that the email below has just arrived in your inbox. Before scrolling down to see the answers, take a moment to review it and see if you can identify any signs that it might be a phishing attempt.

An example of a phishing email from someone impersonating Amazon.

An example of a phishing email from someone impersonating Amazon with important indicators highlighted, proving why it is a phishing email.

Did you catch them all? These indicators are explained in more detail below:

Check sender's email address:

Always check the sender’s email to confirm it is from a legitimate source.

"CAUTION" banner:

This banner indicates that the sender is from outside of Okanagan College and should be treated with extra caution. Never provide personal information, passwords, or make purchases from these emails.
Always watch for this banner, especially if an email appears to come from Okanagan College. This banner will never appear on internal emails. However, even if the banner is not present, it is still important to stay alert for other signs of phishing, as an internal account could still be compromised.

Generic greetings:

Phishing emails are usually sent in large batches. To save time, cybercriminals use generic names like "Hi Student" or "Hi Professor" so they don't have to type out names. Be skeptical of such emails.
Keep in mind, more sophisticated phishing attempts can use your real name along with more information about you such as your job title and place of employment. This is known as spear-phishing.

Poor grammar and misspellings:

Phishing emails often have poor grammar or misspellings.

Email asks for personal information:

Legitimate companies will never ask for personal credentials via email.

Urgent action required:

Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information - Right Now!

Suspicious links & attachments:

Always check where a link is going before you click on it. You can hover over a link with your mouse to see the actual URL.
If you are unsure if an email is legitimate or not, it is best to avoid clicking on the link altogether. Instead, open your web browser and go directly to the website yourself.
- For example, if you receive an email claiming you need to log into your bank account and it includes a sign‑in link, do not click it. Instead, open your browser, type in your bank’s official web address yourself, and check there to confirm whether the message is real.
Make sure the email is legitimate before clicking on or downloading any attachments.

Unsolicited emails:

Be wary of unsolicited emails, especially those asking for personal information or urging immediate action.

Additional Common Questions:

No. These simulations are intentionally designed to resemble real phishing emails as closely as possible, and there is still a significant chance that what you’ve received could be an actual phishing attempt. Please report it by following the steps outlined in the Report or Verify Phishing Emails section above.

No. Unfortunately, cybercriminals continue to get more sophisticated, and the tools they use to create convincing malicious emails are improving as well. That’s why it’s essential to stay up to date with regular training to stay ahead of the curve.

If you would like to learn more about phishing, please view the Microsoft article below. You can also email IT Security for any questions or concerns regarding our phishing campaigns or phishing emails in general, and we will get back to you as soon as possible.

Microsoft Article on Phishing Email IT Security

Under normal circumstances, no. Your individual results on interactions with a phishing simulation email will be kept confidential by the IT Security Team. Assigned training status/completion will be tracked and recorded for compliance reporting. In limited circumstances, such as repeated high-risk behaviour or where required by College policy, relevant information may be shared with appropriate leadership.

Explore programs and courses Explore programs and courses

InspirED: Continuing Studies and Corporate Training InspirED: Continuing Studies and Corporate Training

Explore OC Explore OC

Areas of interest Areas of interest

Education pathways Education pathways

Portfolios Portfolios

Mobility/Exchange and study abroad Mobility/Exchange and study abroad

Additional resources Additional resources

Become a student Become a student

Application and enrollment support Application and enrollment support Explore programs, understand requirement and get guidance through the application process.

Tuition and fees Tuition and fees

Financial support Financial support

Education pathways Education pathways

Additional resources Additional resources

Getting started Getting started

Navigating your program Navigating your program

Education advisors Education advisors Help you map out your academic path and stay on track to graduate.

Learning resources and support Learning resources and support

Mobility/Exchange and study abroad Mobility/Exchange and study abroad

Additional resources and policies Additional resources and policies

Our campuses and centres Our campuses and centres

Our centres Our centres

Visitor information Visitor information