Educause Security Discussion mailing list archives

Re: Self-Phishing - Pre Launch Messages

From: Tamara Bahr <t.bahr () UTORONTO CA>
Date: Tue, 15 Nov 2016 23:14:05 +0000
Great thread

@Eric Weakland – so you piloted with IT first? How many times? You say it “helped with complaints” what was the volume 
and nature of the complaints? (i.e. lots of hits to help desks etc.?)

Tamara Bahr
TAMARA JAYNE BAHR B.Ed, MSc
Manager Academic Technology

Post MD Education – (Currently seconded to ITS)
Faculty of Medicine, University of Toronto
500 University Avenue | 6th Floor | Toronto | ON | M5G 1V7
416-978-7587 | t.bahr () utoronto ca<mailto:t.bahr () utoronto ca>

Information Security Is Everyone’s Responsibility. Learn more: http://uoft.me/cyberaware


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Eric Weakland 
<eric () AMERICAN EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, November 15, 2016 at 4:35 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Self-Phishing - Pre Launch Messages

One other note.

We phished our IT staff and the senior leadership of the university (with their permission, of course) repeatedly 
before phishing anyone else. (President, Provost, CIO, and Head of Finance)  This really helped with complaints, and 
they were squarely behind the initiative due to the amount of wire transfer Phishing attacks that they were already 
targeted by.

Thank you Valerie for sharing Brad’s excellent post.


Eric Weakland, CISSP, CISM, CRISC, ITIL
Director, Information Security
Office of Information Technology
American University
eric at american.edu<http://american.edu>
202.885.2241

______________________________________________________________________
Emails from IT asking you to log in with a link are scams!
No one from Microsoft is going to call you about your computer!
The IRS isn’t going to call you and threaten legal action, unless you pay them using gift cards!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sweeney, 
Sean
Sent: Tuesday, November 15, 2016 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Self-Phishing - Pre Launch Messages

We notified our community and senior leadership before we began with PhishMe in June.  We repeat this message via other 
awareness activities as well.   Our community has been accepting of our efforts on this front, and we even garnered 
some local news coverage just this past Sunday: 
http://www.post-gazette.com/business/career-workplace/2016/11/14/WorkZone-Pitt-scams-its-workers-to-teach-lesson-about-phishing-schemes/stories/201611130064<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.post-2Dgazette.com_business_career-2Dworkplace_2016_11_14_WorkZone-2DPitt-2Dscams-2Dits-2Dworkers-2Dto-2Dteach-2Dlesson-2Dabout-2Dphishing-2Dschemes_stories_201611130064&d=DgMFAg&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=ObfDcxFy-MHPw9qbJPWJQVif1P5NuMxyh03IqSH1PTk&s=3uQ30OtSvFB5WWHT6ybkIHVC_ZBWMZ5Y2f5i7P2Ga2w&e=>


Sean Sweeney
Chief Information Security Officer
University of Pittsburgh
315 S. Bellefield Ave, Rm 403
Pittsburgh, PA 15260
(412) 624-5595
sweeney2 () pitt edu<mailto:sweeney2 () pitt edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie 
Vogel
Sent: Tuesday, November 15, 2016 2:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Self-Phishing - Pre Launch Messages

Greetings,
Here are two relevant resources developed by the community about phishing simulation programs and campaigns:

A blog post by Brad Judy about “Phishing Your Users”: 
https://er.educause.edu/blogs/2016/4/phishing-your-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fer.educause.edu-252Fblogs-252F2016-252F4-252Fphishing-2Dyour-2Dusers-26data-3D01-257C01-257Csweeney2-2540PITT.EDU-257C800f085a82394fecea5808d40d8eb4e8-257C9ef9f489e0a04eeb87cc3a526112fd0d-257C1-26sdata-3D5h15zOcpHnbSklyc3KWkrAz96EEvw4SeLFqhs4ASBqk-253D-26reserved-3D0&d=DgMFAg&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=ObfDcxFy-MHPw9qbJPWJQVif1P5NuMxyh03IqSH1PTk&s=Gy_FswvtRZjt5NphZIVwAonDdGJrJt4RI1tjSNlYEwE&e=>

This document briefly explains the benefits and potential risks of deploying a phishing simulation program, and also 
includes a list of popular phishing simulation programs or tools to consider. 
https://library.educause.edu/resources/2016/4/phishing-simulation-programs<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F4-252Fphishing-2Dsimulation-2Dprograms-26data-3D01-257C01-257Csweeney2-2540PITT.EDU-257C800f085a82394fecea5808d40d8eb4e8-257C9ef9f489e0a04eeb87cc3a526112fd0d-257C1-26sdata-3D8AjmvXj66I99Jp4LMAkCtnw0srLxmRLhomu6b1p3NAI-253D-26reserved-3D0&d=DgMFAg&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=ObfDcxFy-MHPw9qbJPWJQVif1P5NuMxyh03IqSH1PTk&s=Dtbymn_aOpDWt47Ynr3t0BwPbPW546nYeY0dE2CgJtE&e=>

Thank you,
Valerie


Valerie Vogel Program Manager, Cybersecurity

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | 
educause.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww.educause.edu-252F-26data-3D01-257C01-257Csweeney2-2540PITT.EDU-257C800f085a82394fecea5808d40d8eb4e8-257C9ef9f489e0a04eeb87cc3a526112fd0d-257C1-26sdata-3D67SUUI5L8Xir3lCz-252FYz-252BJxZYBn684XrTD02AeQcyNhU-253D-26reserved-3D0&d=DgMFAg&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=ObfDcxFy-MHPw9qbJPWJQVif1P5NuMxyh03IqSH1PTk&s=HCshiJDic9SwK5wJG3lA6BXNqKJUCN1LpJbQnza-3js&e=>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on 
behalf of Eric Weakland <eric () american edu<mailto:eric () american edu>>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Tuesday, November 15, 2016 at 11:27 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Self-Phishing - Pre Launch Messages

James,

We started out telling people exactly – down to the Date and exact time when we would start the campaign.  Then just 
the day.  Then “latter half of the week.”  Then “this week.”  Then “this month.”

Now we’re down to notifying that it would happen throughout the semester.  Notifying in Fall and after Winter break.  I 
think “boiling the frog” is a good strategy here.  We haven’t had many complaints, but a word of advice – be careful 
using some of the phishing templates that vendors have that use a scare tactic saying “A hacker stole your password” – 
this prompted some faculty anger when they fell for it and reset all their passwords and had to deal with the pain of 
that.

Hope this helps,

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

_____________________________________________
Emails from IT asking you to log in with a link are scams!


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of James Farr <jfarr () UTICA EDU<mailto:jfarr () UTICA EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Tuesday, November 15, 2016 at 11:19 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Self-Phishing - Pre Launch Messages


We are exploring self-phishing options with our faculty staff andpossible students.   Wewant to provide notification to 
the users about the program before we send any actual phishing messages. We are thinking that notifications should be 
mentioned at orientation with an annual email reminder.

How often do you notify your users about the self-phishing program?

Can anyone share examples of campus notifications sent out prior to implementing this type of program?

James Farr ’05 G’12

Director of Information Security

Utica College

jfarr () utica edu<mailto:jfarr () utica edu>

315-223-2386
Current thread:

Self-Phishing - Pre Launch Messages James Farr (Nov 15)
- Re: Self-Phishing - Pre Launch Messages David D Grisham (Nov 15)
  - Re: Self-Phishing - Pre Launch Messages Jimenez, Julio (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Shettler, David (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Rob Milman (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Eric Weakland (Nov 15)
  - Re: Self-Phishing - Pre Launch Messages Valerie Vogel (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Sweeney, Sean (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Eric Weakland (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Tamara Bahr (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages James Farr (Nov 15)