Educause Security Discussion mailing list archives

Re: Self-Phishing - show of hands

From: George Moore <gmoore () SALEMSTATE EDU>
Date: Tue, 16 Feb 2016 22:36:34 +0000

Hi Eric,
Who are you phishing?
We sent to sensitive departments first, then all faculty/staff.

What are you using?
We used all free tools. We saved a particularly clever phish one of our users fell for, this made our test realistic. 
We used Linux mail commands to send the email. We used a bit.ly link inside of the message to give us statistics on how 
many people are clicking. We decided to not collect credentials. If a user clicked, they were led to a special landing 
page that contained tips on how to identify email scams.

How long have you been phishing your customers?
Only a year. We generated a lot of awareness.

Here are some other bits of advice:

Have a really strong response plan for when a user reports a phishing email to you. Most of what we did to perform this 
phish was lifted from our response plan.

Track your rate of actual phishing incidents and password disclosures. That type of logging is what you will need to 
prove to yourself and others that the awareness program is being effective.

Accept that some amount of users will always fall for email scams. Think of alternate controls and monitors to catch 
those rare cases.

Thanks,
George Moore
Director of Information Security
Salem State University
Office 978-542-2052

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Weakland
Sent: Thursday, February 11, 2016 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-Phishing - show of hands

Greetings,

I'm working on a publication on self phishing for HEISC and preparing to leverage our self-phishing service (SANS) in 
the coming year.  I am trying to develop a list of universities who are doing "self phishing".

If your institution is self phishing your community - would you mind dropping me a note with the following items.

Who are you phishing? (Select groups, All Staff, All Faculty, All Students, everyone etc.)
What are you using? (Vendor, custom or opensource and the name of the vendor or project.)
How long have you been phishing your customers?

Thanks everyone!

Regards,

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

_____________________________________________
Emails from IT asking you to log in with a link are scams!

Current thread:

Re: Self-Phishing - show of hands, (continued)
- - Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Jeff Choo (Feb 11)
- Re: Self-Phishing - show of hands Feehan, Patrick (Feb 11)
  - Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Dennis Duncan (Feb 11)
  - Re: Self-Phishing - show of hands Stefan Wahe (Feb 11)
  - Re: Self-Phishing - show of hands Christine Streeter (Feb 11)
    - Re: Self-Phishing - show of hands Jenny Blaine (Feb 11)
    - Re: Self-Phishing - show of hands Sol Bermann (Feb 12)
- Re: Self-Phishing - show of hands Melanie Lever (Feb 12)
- Re: Self-Phishing - show of hands George Moore (Feb 16)
- Re: Self-Phishing - show of hands Paul Chauvet (Feb 17)