Educause Security Discussion mailing list archives

Re: attempts sending fake phishing messages to students and/or employees

From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Tue, 8 Jun 2010 08:05:01 -0400

We use security awareness to defend against phishing.
When I suggested the method of sending phishing to affiliates, the concern about faculty reaction was mentioned as well.
For security awareness, we use a combination of online training for faculty and staff, slides for student-based 
workshops and will roll out some videos on phishing to students. 

I also found that spending some time analyzing the phishing process to understand how the process works can be helpful 
to gear the security awareness towards the weaknesses exploited in the current scams.

Ben, could you provide the link to the facebook page that you are using?


Eva Lorenz Ph.D., J.D., ITv3F
ITS Security
2800 ITS Manning
211 Manning Dr
CB3420
Chapel Hill NC 27599

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
Sent: Tuesday, June 08, 2010 12:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees

There was a thread about this a couple of years ago that you may be able to find in the archives. 

We thought about doing this at RIT but decided against it because we thought people would believe we betrayed their 
trust. Indiana University did phishing research on part of their population and I'm not sure they thought the results 
were worth the reaction. (Scott--feel free to chime in here.)

We have used a few different techniques to combat phishing:

Awareness, including posters (adapted from Yale University) and having a phishing awareness week (twice) on campus with 
a student dressed in a phish costume visiting campus offices. 
(http://reportermag.com/article/05-01-2009/phishing-fish-draws-attention)


As a technical control, our information technology group has appended a message warning about a potential phishing 
attempt to all incoming mail that includes "password" in the body of the message. 

We've adopted a signature standard requiring specific address elements for any official internal email to help people 
distinguish between official and unofficial messages.

We have an ongoing Digital Self Defense program to educate staff.

We use a Facebook page to communicate about safe social networking and phishing.

We always have a few people respond, but overall our numbers have improved.
Ben Woelk '07

Co-chair, Awareness and Training Working Group
EDUCAUSE/Internet2 Higher Education Information Security Council

Policy and Awareness Analyst
Information Security Office
Rochester Institute of Technology
Ross 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623

585.475.4122
585.475.7920 fax
ben.woelk () rit edu
http://security.rit.edu/dsd.html

Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645

Follow us on Twitter: http://twitter.com/RIT_InfoSec

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Kovarik 
[david-kovarik () NORTHWESTERN EDU]
Sent: Monday, June 07, 2010 11:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees

My two cents: A "fake" phishing trip could have some benefit, but I'd
recommend against
launching one within higher education confines (it could be a career
limiting or eliminating
move).  Those that are "hooked" by it won't take kindly to having taken
the bait - and some
of these will be outspoken faculty members.  I think your efforts would
be better spent on
continuing education of your user community and resolving the incidents
that occur as
a result of actual phishing incidents.
Dave Kovarik
Northwestern University
847-467-5930

On 6/7/10 7:59 PM, Valdis Kletnieks wrote:

On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:

Has anyone attempted, or thought about, sending fake phishing messages
to your students and/or employees?

If your message is "We will never ask you for your password", this is a
*really* bad idea because it confuses your users and shoots your credibility.

We usually just wait for a real phish to get reported, then block the address
outbound and trap any attempts to reach it.  Anybody who tries it gets
targeted for re-education.

Current thread:

attempts sending fake phishing messages to students and/or employees Miller, Don C. (Jun 07)
- <Possible follow-ups>
- Re: attempts sending fake phishing messages to students and/or employees Valdis Kletnieks (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Bob Bayn (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Lorenz, Eva (Jun 08)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 08)