Educause Security Discussion mailing list archives

Re: Phishing and Security Awareness Training - Faculty

From: Bob Bayn <bob.bayn () USU EDU>
Date: Thu, 14 Apr 2016 13:00:56 +0000

I need to backtrack a comment I made that I realize has an exception:


On Apr 13, 2016, at 16:55, I <bob.bayn () USU EDU<mailto:bob.bayn () usu edu>> wrote:


Even though we still refer to the "gullible...skeptical...paranoid" continuum in our training, most victims of real 
phish are not actually gullible but are either multi-tasking and not giving the threat enough attention to recognize it 
or the phishing "story" happens to coincide with what is happening in the recipient's life at the moment.  Spanning 
phishers can afford to use a specific story that only rings true with a few of their recipients, because it doesn't 
cost them anything to not fool the others.

They are HOPING that it doesn't cost them anything to not fool the others.  But when those others know a way to 
effectively report the mischief they recognize, that can help thwart the whole attack.  If they know how to do any of:

  *   report the message as spam
  *   report the link to the hosting service abuse address
  *   report the link to Google: https://www.google.com/safebrowsing/report_phish/
  *   report the link to Symantec: https://submit.symantec.com/antifraud/phish.cgi
  *   report the message and link to PhishTank: https://www.phishtank.com/index.php
  *   report the message to the REN-ISAC "chum" project:  phish () ren-isac net
  *   report the message to their local IT Security team (who may do all the others)

then the cost of "not fooling the others" goes up.



Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University

    Report any suspicious message by forwarding it as an
    attachments (ctrl-alt-F in Outlook) to phish () usu edu.
    The attachment format preserves hidden delivery header
    information that is helpful for reporting or blocking.

    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737

Current thread:

Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
  - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
  - Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 13)
    - Re: Phishing and Security Awareness Training - Faculty Manjak, Martin (Apr 14)
    - Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 14)
    - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
    - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Thomas Skill (Apr 14)
- <Possible follow-ups>
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
  - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
    - Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
    - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
    - Re: Phishing and Security Awareness Training - Faculty Melanie Lever (Apr 13)
    - Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
    - Re: Phishing and Security Awareness Training - Faculty Burke, Ian R. (Apr 13)

(Thread continues...)