Educause Security Discussion mailing list archives
Re: Phishing and Security Awareness Training - Faculty
From: Bob Bayn <bob.bayn () USU EDU>
Date: Wed, 13 Apr 2016 20:54:41 +0000
Paul Chauvet <chauvetp () NEWPALTZ EDU> reports mild defensive reactions to phishing training including: Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so busy" or "You got me because I didn't have my coffee yet" I'd say that's the likely explanation set for people who fall for REAL phish messages, too. Even though we still refer to the "gullible...skeptical...paranoid" continuum in our training, most victims of real phish are not actually gullible but are either multi-tasking and not giving the threat enough attention to recognize it or the phishing "story" happens to coincide with what is happening in the recipient's life at the moment. Spanning phishers can afford to use a specific story that only rings true with a few of their recipients, because it doesn't cost them anything to not fool the others. Bob Bayn SER 301 (435)797-2396 IT Security Team Office of Information Technology, Utah State University Report any suspicious message by forwarding it as an attachments (ctrl-alt-F in Outlook) to phish () usu edu. The attachment format preserves hidden delivery header information that is helpful for reporting or blocking. Do you know the "Skeptical Hover Technique" and how to tell where a web link really goes? See: https://it.usu.edu/computer-security/computer-security-threats/articleID=23737 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Paul Chauvet <chauvetp () NEWPALTZ EDU> Sent: Wednesday, April 13, 2016 2:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hi Stefan, We've been doing phishing simulations of one form or another for 3-4 years now. They have been extremely effective and very well received. It has been extremely rare that we have had negative reactions to it. Those reactions have been primarily: ยท Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so busy" or "You got me because I didn't have my coffee yet" ....[snip]
Current thread:
- Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Manjak, Martin (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- <Possible follow-ups>
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Melanie Lever (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)