Re: Internal Phishing Simulation Advice

[Thomas Skill <tskill1 () UDAYTON EDU>]

Ashley

At the University of Dayton, we have been phishing all faculty and staff on
a monthly basis for a couple years. When we began this process, we decided
that these efforts cannot be viewed by our community as a way to "shame or
blame" but rather as our way to "train and strengthen."

We carefully explained that the bad actors are extremely skilled and agile
at their craft of tricking users -- and that we, as a campus community,
need to practice and refine our skills. Our monthly phishing exercises are
part of our larger "cyber-mindfulness" awareness strategies.   We follow-up
each month's phishing exercise with a report to the campus on what was
sent, what the "tells" were for detecting the phish and how well we did as
a community (click rates).  We have discovered that the campus has really
engaged in this activity.  They are not complaining or feeling tricked.
They are talking about it with us and their colleagues - and they are
demonstrating the behaviors that we have been striving to establish ---
cybersecurity mindfulness!

One of the greatest benefits of this approach has been our ability to
determine the types of phishes that put us at greatest risk.  For our
community, two types of messages were most dangerous (and thus we have
engaged in additional awareness training around those).  The two types that
were most effective were:

   1. *Spoofed messages from delivery services* - UPS, Amazon and Fed Ex.
   We saw click rates nearly 3 times greater for these over all other types of
   messages.  Intuitively, this result makes sense since these message exploit
   familiar and expected messages. However, intuition can't drive the day --
   we now have the data and can use that to help engage the community in risk
   awareness.
   2. Phish *messages to faculty that express an interest in their
research* are
   extremely effective.  This type of message had a very high click rate among
   faculty and we had to delicately address how best to avoid being exploited
   when one's ego may be in play.

We have had solid support for these phishing exercises from our senior
leadership and board.  Much of that support was based on the fact that we
have positioned the phishing as part of a very robust communications
campaign on cybersecurity that was grounded in openness/transparency and
sustained engagement with the campus.  We also have tried very hard not
make this a "gloom and doom" campaign.  Our messaging is very
conversational in tone, frequently humorous and strives to publicly
recognize and reward those who are doing the right things.

Hope this helps!
Tom


Thomas Skill, Ph.D.
Associate Provost & CIO
Professor, Communication
Office (937) 229-4307
Fax (937) 229-4044

eMail: skill () udayton edu <tskill1 () udayton edu>
Twitter: @skilltd <https://twitter.com/skilltd>
Linkedin: skilltd <http://www.linkedin.com/in/skilltd>

UDit
University of Dayton
300 College Park
Dayton, OH 45469-2230


*GO.UDAYTON.EDU/SAFECOMPUTING <http://go.udayton.edu/SAFECOMPUTING>*



On Mon, Dec 17, 2018 at 11:08 AM Valentijn, Ashley <axv749 () miami edu> wrote:

> Good morning,
>
>
>
> We want to launch an internal phishing simulation in order to better train
> our employees on recognizing phishing emails. Target participants are
> university faculty and staff.
>
>
>
> Any advice, suggestions, and/or recommendations on how to successfully
> implement such a simulation would be much appreciated. We are looking at
> possibly using GoPhish or Microsoft's new Phishing Attack Simulator.
>
>
>
> Thank you in advance! Feel free to send me a direct email or I am also
> open to the possibility of a quick phone call.
>
>
>
> Warm Regards,
>
> *Ashley Valentijn*
>
> Security Engineer
>
> *Information Security Office*
>
> University of Miami
>
> *P: 305-284-4582 | E: **axv749 () miami edu <axv749 () miami edu>*
>
> * <axv749 () miami edu>*