The Information Security team at Mississippi State University conducted an internal email phishing campaign during the end of the fall semester of 2024 and before the spring 2025 semester. The campaign consisted of sending two emails that were crafted by the Information Security team to all faculty and staff that meet the requirements of annual information security training (as stated in the Information Security Program). Becky Shannon, IT Risk & Compliance Analyst, with Information Security said, “These emails were sent randomly throughout the 40 days of the campaign."
| 2024/2025 MSU Employee Phishing Campaign Results |
| Phishing Emails Sent |
Successful Phishing Attempts |
| 12,907 |
868 |
Summary of the Two Email Campaigns
- One email (labeled as “You need to reset your account password” or as “Reset your password”) consisted of warning the user that their account had unusual activity associated with it and that the user needed to reset their password using the link provided in the email then enter their NetID and associated password in the corresponding webpage. Shannon added, “The email looked like it was coming from “ITS Security” and the timing of this email was around the time when the new 16-character password and new CAS login page were implemented. Based on the NIST Phish Scale User Guide, this email is rated as “Very difficult” to discern if this email was a phishing email.”
- The second email (labeled as “BasicMessage_MicrosoftSignIn”) consisted of notifying the user that they had a new message to view and could use the provided link to view the message. The link took the user to the corresponding webpage where they could enter their NetID and associated password. According to Shannon, “This email looked like it came from the University’s ITS and mimicked previous phishing attempts on employees. Based on the NIST Phish Scale User Guide, this email is rated as “Moderately difficult” to discern if this email was a phishing email.”
Employees should look closely at all email messages and never click links that ask for NetIDs or password information. This campaign was designed to educate users about phishing scams and how to report suspicious emails.
Return to ping