Educause Security Discussion mailing list archives

Re: attempts sending fake phishing messages to students and/or employees

From: Dave Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Mon, 7 Jun 2010 22:26:38 -0500

My two cents: A "fake" phishing trip could have some benefit, but I'd
recommend against
launching one within higher education confines (it could be a career
limiting or eliminating
move).  Those that are "hooked" by it won't take kindly to having taken
the bait - and some
of these will be outspoken faculty members.  I think your efforts would
be better spent on
continuing education of your user community and resolving the incidents
that occur as
a result of actual phishing incidents.
Dave Kovarik
Northwestern University
847-467-5930

On 6/7/10 7:59 PM, Valdis Kletnieks wrote:

On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:

Has anyone attempted, or thought about, sending fake phishing messages
to your students and/or employees?

If your message is "We will never ask you for your password", this is a
*really* bad idea because it confuses your users and shoots your credibility.

We usually just wait for a real phish to get reported, then block the address
outbound and trap any attempts to reach it.  Anybody who tries it gets
targeted for re-education.

Current thread:

attempts sending fake phishing messages to students and/or employees Miller, Don C. (Jun 07)
- <Possible follow-ups>
- Re: attempts sending fake phishing messages to students and/or employees Valdis Kletnieks (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Bob Bayn (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Lorenz, Eva (Jun 08)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 08)