IT department sends fake phishing email

Butler IT sends fake phishing email to students “from” Nintendo to test student IT safety. Graphic by Presley Fletcher.


Colleges and universities are prime targets for phishing scams. Julie Hoffman, assistant director of the information technology, IT, department help desk and IT department, said universities have personal information for thousands of students that is very attractive to sellers and buyers of information. 

Phishing is a cybercrime in which targets are contacted by email, telephone or text message by someone posing as a real company to attempt to convince the targets to provide details such as personally identifiable information, banking and credit card details, and passwords. 

In an attempt to test students on what this type of email might look like, the Butler IT Department sent out their own phishing email, that was completely safe, in order to determine how many students might click on a phishing link. 

The IT department sent out a test phishing email to students’ Butler email accounts that looked like it was from Nintendo. They sent the email to 5,638 students, and out of those, 1,091, or 19%, clicked the link in the email. 

The number of students who clicked on past fake phishing emails depended on which simulation Butler’s IT department used. In February they sent an email simulation that was clicked on by 2% of recipients. In March, another simulation was opened by 3%. And in May, the email link was clicked on by 25%. Hoffman said if students have an account that the simulation uses, such as a Nintendo account, they are more likely to click on the link. 

Hoffman said that the IT department signed on with a service called KnowBe4, that provides cybersecurity training to institutions all across the country. 

“So periodically, [KnowBe4] sends out training to students, faculty and staff that help improve people’s knowledge of cybersecurity, things to know, things to avoid, what to look for, that kind of thing,” Hoffman said. 

The Butler IT department has sent out four phishing emails since they signed with KnowBe4, the Nintendo one being the most recent. 

Sophomore psychology major, Kamryn McGlothin, clicked on the link thinking that her Nintendo account information was at risk. She said that she has a Nintendo account, although it’s not linked to her Butler account. 

“Having it sent to my Butler account, when I don’t use that for anything else, also had me not suspect that it was spam,” McGlothin said. 

McGlothin said that she thought the way they sent the email was “tricky,” and purposefully trying to get students to click the link. In her cybersecurity training, she said that the fake emails were filled with grammatical errors and emojis, and that the Nintendo email was more legitimate than any of the training simulations. 

Hoffman stated that there are three reasons why they are sending out the phishing simulations. The first is that the IT department is tracking Butler’s improvements as an institution in cybersecurity training. The second purpose is to keep students on their toes and the third is to identify people who need more training on how to identify a phishing email.

The IT department now uses two-factor authentication for all Butler accounts, which is a second layer of security to keep student accounts safe. 

“The two-factor took it from the number of compromised accounts being in the hundreds every year to basically less than five,” Hoffman said. 

Because of this two-factor authentication, however, students aren’t seeing as many phishing attempts sent to their Butler emails. IT sends these simulations to make sure that students can still identify a potential scam message. 

Once students clicked on the link, they were immediately enrolled in an extra cybersecurity training to make sure they know how to keep their accounts secure. 

Ashlyn McIntosh, sophomore dual criminology and psychology major, also clicked on the Nintendo link. She thinks that the email made her more aware and cautious about clicking on links in emails. 

“Just be careful right before you, just automatically open up the email and read it,” McIntosh said. “Maybe just proceed with caution.” 

The IT department’s goal when sending these emails was to let students see a real phishing email in a way that did not compromise their information. 

Students can access cybersecurity training through the Butler IT website. If students ever do get hacked or their information is compromised, Hoffman said theys should go to Butler IT to get the problem fixed. They can contact the IT department at, or they can visit the office in person in Holcomb Building 350. 

“I would much rather you pause and ask someone who can help you look at it and decipher it before you click on something and give out any potentially dangerous information,” Hoffman said. 


Related posts