Guidelines for phishing simulations

Inform users & IT support groups prior to running phishing simulations Phish without informing users
Provide information and details on how to recognize phishing to users Penalize, sanction or criticize users in any way because they fall for phishing attacks or simulations
Provide short and clear instructions on “How” to report suspicious emails Provide multiple options or conflicting information on how to report phishing
Thank users for reporting phishing
Craft phish that are relevant to the employee and their role Send only to select groups or individuals
Randomize phishing simulations Send the same phish to all U of T users
Phish employees on different days and at different times with different phish, ideally specific to their role Send campaigns outside of the individuals working hours
Engage in conversation with those that are struggling to detect phishes. Discuss with them, and peers that understand the job role if appropriate, and ask them what additional resources would be useful
Run phishing simulations on a monthly basis
  • Run phishing simulations only once a year (that would be too infrequent)
  • Run phishing simulations every week (that would be overwhelming for users)
Review the phishing email by the Communications team prior to its sending Collect information (e.g. usernames, passwords) or use lures relating to monetary reward or appreciation
Collect personal information

Essential security and privacy baseline modules

Topic Learning Outcomes Framework
  • Identify what phishing is
  • Identify a phish in the real world
  • Classify the types of phishing and media used by phishing attacks (smishing, vishing, etc.), and how to identify phishing
  • Report phishes
  • Locate U of T documentation related to phishing
Social engineering
  • Describe social engineering concisely and in plain language
  • Locate U of T documentation related to social engineering fraud
Passwords management
  • Apply good practices for constructing passwords
  • Manage passwords securely with the proper tools
  • Describe what MFA is and its importance
  • Locate University documentation for password management, password best practices and MFA
Types of malware and best practices
  • Describe the diversity of the malware landscape and how it impacts a user’s data and system
  • Apply best practices in day-to-day activities to mitigate the risk of a malware infection
  • Describe the first steps to take in case of ransomware infection
  • Report suspected malware infection
Security best practices
  • Describe best practices to ensure a safe and secure environment at home and work for digital security and physical security
  • Apply best practices in day-to-day life in the office and when working remotely
U of T Data Classification Standard
  • Describe the four levels of data classification at U of T
  • Identify examples of data types for staff, librarians, and faculty
  • Locate University documentation related to data classification on U of T’s websites
  • Identify the point of contact for data classification questions and issues
  • Describe fundamental and core concepts of privacy.
  • Describe what personal information is and good practices to protect it
  • Apply data hygiene principles such as collection, storage, retention, deletion, etc.
  • Identify the point of contact for FIPPO to address privacy questions and issues
Remote work
  • Describe core best practices to follow to ensure a safe and secure environment when working remotely
  • Apply security behaviour that is compliant with U of T remote working guidelines
  • Describe how to report lost or stolen devices and other suspected incidences
  • Locate University documentation related to remote working best practices
U of T policies, standards and guidelines
  • Locate the University’s security policies, standards, and guidelines
  • Restate who authorizes and governs information security at the University
  • Consult the domains of the security standard for guidance on specific security topics
  • Interpret and summarize certain controls within the security standard that apply to daily use of devices and data
  • Apply controls to protect data adequately based on its classification level and where applicable
Reporting security incidents
  • Locate where to report security incidents at U of T when suspicious activity is detected
  • Give examples of security incidents that should be reported
  • Locate where to report safety incidents to the campus police
  • Locate where to report fraud
Risk management basics
  • Recognize what software is authorized at U of T for the storage and processing of data
  • Identify the risk associated with using certain software
  • Summarize the rationale for a risk-based approach to security
Information security incidents in higher ed
  • Identify the rationale that a threat actor would use for targeting university staff and faculty
  • Recognize the likelihood of a security incident targeting the University
  • Demonstrate an understanding of the impact of previous incidents in higher ed
Immersive Labs logo


Students and U of T community members looking for practical security training to enhance their security skills through hands-on lab exercises, can register for free, to the ImmersiveLabs resources.

Immersive Labs logo

Please note that this resource is provided by an external vendor that has its own privacy policy.

While the platform has been reviewed by the U of T Information Security team and the Freedom of Information and Protection of Privacy Office, we urge you to carefully review the ImmersiveLabs privacy notice and Terms of Use and Master Services Agreement / EULA to decide if you agree to those terms before registering to use the resource.

General questions related to privacy can be directed to: FIPP office.

Questions related to Security Awareness & Training can be directed to: