Educause Security Discussion mailing list archives
Re: Self-Phishing - show of hands
From: George Moore <gmoore () SALEMSTATE EDU>
Date: Tue, 16 Feb 2016 22:36:34 +0000
Hi Eric, Who are you phishing? We sent to sensitive departments first, then all faculty/staff. What are you using? We used all free tools. We saved a particularly clever phish one of our users fell for, this made our test realistic. We used Linux mail commands to send the email. We used a bit.ly link inside of the message to give us statistics on how many people are clicking. We decided to not collect credentials. If a user clicked, they were led to a special landing page that contained tips on how to identify email scams. How long have you been phishing your customers? Only a year. We generated a lot of awareness. Here are some other bits of advice: Have a really strong response plan for when a user reports a phishing email to you. Most of what we did to perform this phish was lifted from our response plan. Track your rate of actual phishing incidents and password disclosures. That type of logging is what you will need to prove to yourself and others that the awareness program is being effective. Accept that some amount of users will always fall for email scams. Think of alternate controls and monitors to catch those rare cases. Thanks, George Moore Director of Information Security Salem State University Office 978-542-2052 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Weakland Sent: Thursday, February 11, 2016 10:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Self-Phishing - show of hands Greetings, I'm working on a publication on self phishing for HEISC and preparing to leverage our self-phishing service (SANS) in the coming year. I am trying to develop a list of universities who are doing "self phishing". If your institution is self phishing your community - would you mind dropping me a note with the following items. Who are you phishing? (Select groups, All Staff, All Faculty, All Students, everyone etc.) What are you using? (Vendor, custom or opensource and the name of the vendor or project.) How long have you been phishing your customers? Thanks everyone! Regards, Eric Weakland, CISSP, CISM, CRISC Director, Information Security Office of Information Technology American University eric at american.edu 202.885.2241 _____________________________________________ Emails from IT asking you to log in with a link are scams!
Current thread:
- Re: Self-Phishing - show of hands, (continued)
- Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Jeff Choo (Feb 11)
- Re: Self-Phishing - show of hands Feehan, Patrick (Feb 11)
- Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Dennis Duncan (Feb 11)
- Re: Self-Phishing - show of hands Stefan Wahe (Feb 11)
- Re: Self-Phishing - show of hands Christine Streeter (Feb 11)
- Re: Self-Phishing - show of hands Jenny Blaine (Feb 11)
- Re: Self-Phishing - show of hands Sol Bermann (Feb 12)
- Re: Self-Phishing - show of hands Melanie Lever (Feb 12)
- Re: Self-Phishing - show of hands George Moore (Feb 16)
- Re: Self-Phishing - show of hands Paul Chauvet (Feb 17)