Educause Security Discussion mailing list archives
Re: attempts sending fake phishing messages to students and/or employees
From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Tue, 8 Jun 2010 08:05:01 -0400
We use security awareness to defend against phishing. When I suggested the method of sending phishing to affiliates, the concern about faculty reaction was mentioned as well. For security awareness, we use a combination of online training for faculty and staff, slides for student-based workshops and will roll out some videos on phishing to students. I also found that spending some time analyzing the phishing process to understand how the process works can be helpful to gear the security awareness towards the weaknesses exploited in the current scams. Ben, could you provide the link to the facebook page that you are using? Eva Lorenz Ph.D., J.D., ITv3F ITS Security 2800 ITS Manning 211 Manning Dr CB3420 Chapel Hill NC 27599 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Tuesday, June 08, 2010 12:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees There was a thread about this a couple of years ago that you may be able to find in the archives. We thought about doing this at RIT but decided against it because we thought people would believe we betrayed their trust. Indiana University did phishing research on part of their population and I'm not sure they thought the results were worth the reaction. (Scott--feel free to chime in here.) We have used a few different techniques to combat phishing: Awareness, including posters (adapted from Yale University) and having a phishing awareness week (twice) on campus with a student dressed in a phish costume visiting campus offices. (http://reportermag.com/article/05-01-2009/phishing-fish-draws-attention) As a technical control, our information technology group has appended a message warning about a potential phishing attempt to all incoming mail that includes "password" in the body of the message. We've adopted a signature standard requiring specific address elements for any official internal email to help people distinguish between official and unofficial messages. We have an ongoing Digital Self Defense program to educate staff. We use a Facebook page to communicate about safe social networking and phishing. We always have a few people respond, but overall our numbers have improved. Ben Woelk '07 Co-chair, Awareness and Training Working Group EDUCAUSE/Internet2 Higher Education Information Security Council Policy and Awareness Analyst Information Security Office Rochester Institute of Technology Ross 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 585.475.7920 fax ben.woelk () rit edu http://security.rit.edu/dsd.html Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645 Follow us on Twitter: http://twitter.com/RIT_InfoSec ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Kovarik [david-kovarik () NORTHWESTERN EDU] Sent: Monday, June 07, 2010 11:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] attempts sending fake phishing messages to students and/or employees My two cents: A "fake" phishing trip could have some benefit, but I'd recommend against launching one within higher education confines (it could be a career limiting or eliminating move). Those that are "hooked" by it won't take kindly to having taken the bait - and some of these will be outspoken faculty members. I think your efforts would be better spent on continuing education of your user community and resolving the incidents that occur as a result of actual phishing incidents. Dave Kovarik Northwestern University 847-467-5930 On 6/7/10 7:59 PM, Valdis Kletnieks wrote:
On Mon, 07 Jun 2010 15:41:18 PDT, "Miller, Don C." said:Has anyone attempted, or thought about, sending fake phishing messages to your students and/or employees?If your message is "We will never ask you for your password", this is a *really* bad idea because it confuses your users and shoots your credibility. We usually just wait for a real phish to get reported, then block the address outbound and trap any attempts to reach it. Anybody who tries it gets targeted for re-education.
Current thread:
- attempts sending fake phishing messages to students and/or employees Miller, Don C. (Jun 07)
- <Possible follow-ups>
- Re: attempts sending fake phishing messages to students and/or employees Valdis Kletnieks (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Bob Bayn (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 07)
- Re: attempts sending fake phishing messages to students and/or employees Lorenz, Eva (Jun 08)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 08)