Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: Ben Woelk <fbwis () RIT EDU>
Date: Tue, 8 Jun 2010 00:55:51 -0400
There was a thread about this a couple of years ago that you may be able to find in the archives. We thought about doing this at RIT but decided against it because we thought people would believe we betrayed their trust. Indiana University did phishing research on part of their population and I'm not sure they thought the results were worth the reaction. (Scott--feel free to chime in here.) We have used a few different techniques to combat phishing: Awareness, including posters (adapted from Yale University) and having a phishing awareness week (twice) on campus with a student dressed in a phish costume visiting campus offices. (http://reportermag.com/article/05-01-2009/phishing-fish-draws-attention) As a technical control, our information technology group has appended a message warning about a potential phishing attempt to all incoming mail that includes "password" in the body of the message. We've adopted a signature standard requiring specific address elements for any official internal email to help people distinguish between official and unofficial messages. We have an ongoing Digital Self Defense program to educate staff. We use a Facebook page to communicate about safe social networking and phishing. We always have a few people respond, but overall our numbers have improved. Ben Woelk '07 Co-chair, Awareness and Training Working Group EDUCAUSE/Internet2 Higher Education Information Security Council Policy and Awareness Analyst Information Security Office Rochester Institute of Technology Ross 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 585.475.7920 fax ben.woelk () rit edu http://security.rit.edu/dsd.html Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645 Follow us on Twitter: http://twitter.com/RIT_InfoSec ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Kovarik [david-kovarik () NORTHWESTERN EDU] Sent: Monday, June 07, 2010 11:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees My two cents: A "fake" phishing trip could have some benefit, but I'd recommend against launching one within higher education confines (it could be a career limiting or eliminating move). Those that are "hooked" by it won't take kindly to having taken the bait - and some of these will be outspoken faculty members. I think your efforts would be better spent on continuing education of your user community and resolving the incidents that occur as a result of actual phishing incidents. Dave Kovarik Northwestern University 847-467-5930 On 6/7/10 7:59 PM, Valdis Kletnieks wrote:
On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:Has anyone attempted, or thought about, sending fake phishing messages to your students and/or employees?If your message is "We will never ask you for your password", this is a *really* bad idea because it confuses your users and shoots your credibility. We usually just wait for a real phish to get reported, then block the address outbound and trap any attempts to reach it. Anybody who tries it gets targeted for re-education.
Current thread:
- attempts sending fake phishing messages to students and/or employees Miller, Don C. (Jun 07)
- <Possible follow-ups>
- Re: attempts sending fake phishing messages to students and/or employees Valdis Kletnieks (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Bob Bayn (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Lorenz, Eva (Jun 08)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 08)