Educause Security Discussion mailing list archives
Re: Internal Phishing Simulation Advice
From: Thomas Skill <tskill1 () UDAYTON EDU>
Date: Mon, 17 Dec 2018 16:20:10 -0500
Ashley At the University of Dayton, we have been phishing all faculty and staff on a monthly basis for a couple years. When we began this process, we decided that these efforts cannot be viewed by our community as a way to "shame or blame" but rather as our way to "train and strengthen." We carefully explained that the bad actors are extremely skilled and agile at their craft of tricking users -- and that we, as a campus community, need to practice and refine our skills. Our monthly phishing exercises are part of our larger "cyber-mindfulness" awareness strategies. We follow-up each month's phishing exercise with a report to the campus on what was sent, what the "tells" were for detecting the phish and how well we did as a community (click rates). We have discovered that the campus has really engaged in this activity. They are not complaining or feeling tricked. They are talking about it with us and their colleagues - and they are demonstrating the behaviors that we have been striving to establish --- cybersecurity mindfulness! One of the greatest benefits of this approach has been our ability to determine the types of phishes that put us at greatest risk. For our community, two types of messages were most dangerous (and thus we have engaged in additional awareness training around those). The two types that were most effective were: 1. *Spoofed messages from delivery services* - UPS, Amazon and Fed Ex. We saw click rates nearly 3 times greater for these over all other types of messages. Intuitively, this result makes sense since these message exploit familiar and expected messages. However, intuition can't drive the day -- we now have the data and can use that to help engage the community in risk awareness. 2. Phish *messages to faculty that express an interest in their research* are extremely effective. This type of message had a very high click rate among faculty and we had to delicately address how best to avoid being exploited when one's ego may be in play. We have had solid support for these phishing exercises from our senior leadership and board. Much of that support was based on the fact that we have positioned the phishing as part of a very robust communications campaign on cybersecurity that was grounded in openness/transparency and sustained engagement with the campus. We also have tried very hard not make this a "gloom and doom" campaign. Our messaging is very conversational in tone, frequently humorous and strives to publicly recognize and reward those who are doing the right things. Hope this helps! Tom Thomas Skill, Ph.D. Associate Provost & CIO Professor, Communication Office (937) 229-4307 Fax (937) 229-4044 eMail: skill () udayton edu <tskill1 () udayton edu> Twitter: @skilltd <https://twitter.com/skilltd> Linkedin: skilltd <http://www.linkedin.com/in/skilltd> UDit University of Dayton 300 College Park Dayton, OH 45469-2230 *GO.UDAYTON.EDU/SAFECOMPUTING <http://go.udayton.edu/SAFECOMPUTING>* On Mon, Dec 17, 2018 at 11:08 AM Valentijn, Ashley <axv749 () miami edu> wrote:
Good morning, We want to launch an internal phishing simulation in order to better train our employees on recognizing phishing emails. Target participants are university faculty and staff. Any advice, suggestions, and/or recommendations on how to successfully implement such a simulation would be much appreciated. We are looking at possibly using GoPhish or Microsoft's new Phishing Attack Simulator. Thank you in advance! Feel free to send me a direct email or I am also open to the possibility of a quick phone call. Warm Regards, *Ashley Valentijn* Security Engineer *Information Security Office* University of Miami *P: 305-284-4582 | E: **axv749 () miami edu <axv749 () miami edu>* * <axv749 () miami edu>*
Current thread:
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice, (continued)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Frank Barton (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Allan Chen (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Michael Duff (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Shahra Meshkaty (Dec 17)
- Re: Internal Phishing Simulation Advice Valerie Vogel (Dec 17)
- Re: Internal Phishing Simulation Advice Eric Weakland (Dec 17)