Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice

[Michael Duff <mjduff () STANFORD EDU>]

At Stanford, we conduct weekly simulated phishing campaigns for all employees -- see 
phishing.stanford.edu<http://phishing.stanford.edu>.  My philosophy is that it needs to be frequent in order to provide 
effective training, otherwise it's merely testing susceptibility.

Our phishing awareness program has been very successful thanks to our well planned advance communications and because 
we position it as "no harm, no foul".  Tad Perillo (cc'd) leads the program and can provide more information upon 
request.

Michael Duff
Assistant Vice President and Chief Information Security Officer
Stanford | University IT
michael.duff () stanford edu<mailto:michael.duff () stanford edu>
650-721-3111

On Dec 17, 2018, at 8:38 AM, Allan Chen <allanchen () MUHLENBERG EDU<mailto:allanchen () MUHLENBERG EDU>> wrote:

Alexander,
You run monthly phishing simulations? Do you set them up so that it's obvious that it's a simulation? Do you run them 
monthly across the entire institution? That seems pretty frequent, and I worry that if we tried that here that the 
community would feel we are trying to "trick" them on a regular basis. Faculty, in particular.

I know monthly is considered the standard in industry. Higher ed is weird, we all know.
allan

Chief Information Officer
Muhlenberg College<http://www.muhlenberg.edu>
484-664-3464

Office of Information Technology Blog<http://it.blogs.muhlenberg.edu>
twitter: @kaiyen<https://twitter.com/kaiyen>




On Mon, Dec 17, 2018 at 11:23 AM Alexander Johnson <000000a201751165-dmarc-request () listserv educause 
edu<mailto:000000a201751165-dmarc-request () listserv educause edu>> wrote:
Ashley,

Our institution uses Knowbe4 for this purpose. We have seen great results. We require our full-time staff/faculty to 
complete yearly training that covers basic threats that our users may encounter. This coupled with monthly phishing 
simulations has greatly increased awareness. In fact, users are now overly cautious when it comes to email but this is 
handy when something inevitably get past our spam filter.

I’m happy to answer any specific questions you have via email or phone.

Alexander Johnson
Network Administrator
Information Technology
o: 918.335.6295  m:918.332.6587

OKLAHOMA WESLEYAN UNIVERSITY
<image001.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.okwu.edu%252F%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3du%252FwuLCi7nXTTm23ZCJO4YUsv3Rd67rU5DtFd1g%252BPmCQ%253D%26reserved%3d0&c=E,1,7zX8hnkU4k3O9q9fFaxjt4gZjo9olZYy3D2ATJtT1VrO3pzLemageCtZMhUAqSpXgMLngR3dBJz199bzlolPj-mmbSlG-6CmRIeanoTWVjQ,&typo=1>
 
<image002.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.okwueagles.com%252F%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dqqfnntGI8HTE8MWCSQ%252BkiTQuM3kkg31wqqCF1onSXUU%253D%26reserved%3d0&c=E,1,X_25xVM06z2xeIwnjacGdtKe9I9jn8-sMynbc0AcT_L0EJoGJsuE5cs3h5c-497IN7UvL9iAJ6m2Zsecy_PcnI_52TwmLv9Su_cCr9Y1fQ,,&typo=1>
 
<image003.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.facebook.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3d0BXM6ydAOlpq%252F%252FrX%252FZjHwhRCvwgH8625d10rvutr3s4%253D%26reserved%3d0&c=E,1,j03KOOLeawEqRgNOFcd0M6jOllWA_iaUTXcvBsBVWAqUEc_2FSkCtA7pn2W4XLDnsij8rddmp5NI_Dud87K3HkxmC1lRhEpHdG8jOsA--Oi_5cnilg,,&typo=1>
 
<image004.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.twitter.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dHyaGXY6Lpssh98aCrE%252FPnW0rNF3ewpP0bhFkrPW3Rrs%253D%26reserved%3d0&c=E,1,0vO2_GHutdNUsI_cWf3uNSImZTDn0U5TuyZQt1HwXHLMn0N7DZMLTqpOmsbou_ntVKD4tHRTq3YLmvrHxfbSj7C3nIUMkYiTU4p4uqMArMqi&typo=1>
 
<image005.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.instagram.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dMpab7i67Ktsfawj%252FjmFqqq0cZzpuy4FBConYyZkeEjg%253D%26reserved%3d0&c=E,1,tj5h1aQn6TiMquUFbTip0u6lH0csi6YNAUyGmmZ2Mtvt-avD8X7R4UKzgdEa0QljkUgkTx_ZxEQVfUgS9NTThy8Hv0Zu3uXjiyg1nxuHK4Bfw-fl1-o,&typo=1>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Valentijn, Ashley
Sent: Monday, December 17, 2018 9:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice


Good morning,



We want to launch an internal phishing simulation in order to better train our employees on recognizing phishing 
emails. Target participants are university faculty and staff.



Any advice, suggestions, and/or recommendations on how to successfully implement such a simulation would be much 
appreciated. We are looking at possibly using GoPhish or Microsoft's new Phishing Attack Simulator.



Thank you in advance! Feel free to send me a direct email or I am also open to the possibility of a quick phone call.



Warm Regards,
Ashley Valentijn
Security Engineer
Information Security Office
University of Miami
P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>