Educause Security Discussion mailing list archives
Re: Phishing and Security Awareness Training - Faculty
From: "Sburlea, Stefan" <sburlea () CHAPMAN EDU>
Date: Thu, 14 Apr 2016 16:56:33 +0000
That is how phishing works. Best Regards, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, Martin Sent: Thursday, April 14, 2016 5:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Precisely. For some subset of the recipient population, the phish is going to align with a circumstance in their lives at that moment that will make it exponentially more credible. Marty Manjak ISO University at Albany Sent from my iPhone On Apr 13, 2016, at 16:55, Bob Bayn <bob.bayn () USU EDU<mailto:bob.bayn () usu edu>> wrote: Paul Chauvet <chauvetp () NEWPALTZ EDU<mailto:chauvetp () newpaltz edu>> reports mild defensive reactions to phishing training including: Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so busy" or "You got me because I didn't have my coffee yet" I'd say that's the likely explanation set for people who fall for REAL phish messages, too. Even though we still refer to the "gullible...skeptical...paranoid" continuum in our training, most victims of real phish are not actually gullible but are either multi-tasking and not giving the threat enough attention to recognize it or the phishing "story" happens to coincide with what is happening in the recipient's life at the moment. Spanning phishers can afford to use a specific story that only rings true with a few of their recipients, because it doesn't cost them anything to not fool the others. Bob Bayn SER 301 (435)797-2396 IT Security Team Office of Information Technology, Utah State University Report any suspicious message by forwarding it as an attachments (ctrl-alt-F in Outlook) to phish () usu edu<mailto:phish () usu edu>. The attachment format preserves hidden delivery header information that is helpful for reporting or blocking. Do you know the "Skeptical Hover Technique" and how to tell where a web link really goes? See: https://it.usu.edu/computer-security/computer-security-threats/articleID=23737<%20https:/it.usu.edu/computer-security/computer-security-threats/articleID=23737> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu>> on behalf of Paul Chauvet <chauvetp () NEWPALTZ EDU<mailto:chauvetp () newpaltz edu>> Sent: Wednesday, April 13, 2016 2:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu> Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hi Stefan, We've been doing phishing simulations of one form or another for 3-4 years now. They have been extremely effective and very well received. It has been extremely rare that we have had negative reactions to it. Those reactions have been primarily: * Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so busy" or "You got me because I didn't have my coffee yet" ....[snip]
Current thread:
- Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Manjak, Martin (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Bob Bayn (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Paul Chauvet (Apr 13)
- <Possible follow-ups>
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Melanie Lever (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Burke, Ian R. (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)