Simulated Phishing Results

Dear Members of the Hobart and William Smith Community –

I write to share with you the results of an important information security test that was recently conducted at the Colleges. The growing problem of security and data breaches are routinely publicized in the media and news reports, and HWS is not immune to these risks as hackers attempt to gain access to our systems and information through a variety of methods. One technique used is known as "Phishing".

Phishing is one of the most common and easily avoidable security threats, usually carried out through a malicious e-mail. The goal of a phishing e-mail is to acquire sensitive information such as usernames, passwords, and credit card numbers by masquerading as a trustworthy entity in an electronic communication. It is important that all members of the HWS community develop a basic awareness of this kind of threat to collectively protect the sensitive information and digital assets of the Colleges.

On Friday, October 20th, a simulated phishing e-mail was sent to everyone in the community with an HWS e-mail account. This is the third year that this test was conducted, and it was done with the support of the Colleges’ Cabinet and Institutional Review Board (IRB). The simulation was carried out by GreyCastle Security as part of a broader New York Six consortium ( information security program. No personally identifiable information was collected as part of the simulation. In no case was any member of the HWS community exposed to the risk of compromising confidential or sensitive information, or punitive action during the simulation.

The most important result from this test was that 559 members of our community fell for the simulated phishing attempt and entered their HWS credentials. This is a significant increase from last year, and had this been a real scam, hackers would have been able to steal those HWS usernames and passwords for malicious purposes.

Here are the overall results of the simulated phishing exercise:

  • Congratulations and thank you to the 89 people who contacted the IT Services Help Desk to report the simulated phishing e-mail as a possible scam. This number almost doubled from last year!
  • 3,169 e-mails were sent to all community members with an HWS e-mail account.
  • 2,465 (77.8%) people ignored or deleted the e-mail and did not click on the link included (compared to 87.1% last year).
  • 704 (22.2%) people opened the e-mail and clicked on the link in the message (compared to 12.9% last year). This year 559 of those people who clicked on the link also entered their username and passwords.

If you fell for the simulated phishing e-mail and would like to see how you could have identified it as a phishing attempt, please look for the "Simulated Phishing Updates and Information" link on the IT Services Web site ( for more detailed information.


Fred Damiano
Vice President of Strategic Initiatives and Chief Information Officer

Phish E-mail Phish Landing Page

Preparing Students to Lead Lives of Consequence.