Educause Security Discussion mailing list archives

Re: Differentiating Between Real and Phishing Emails to Staff and Students

From: David Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Tue, 13 May 2008 07:52:23 -0500

Tim - I'm not sure there's an easy answer here.
- First and foremost is to again emphasize that you are not soliciting any
information from your audience.
- With the increasing frequency, you may elect to combine multiple examples
within a pdf.  This helps emphasize your message that you're  providing and
not soliciting  information.
- We considered digital signatures but collective opinion is users simply
don't confirm the authorization, possibly leading to other issues.
- We put up a webpage that includes recent examples and point to that in our
e-mail
 http://www.it.northwestern.edu/security/phishing-examples.html
- I'd suggest deleting the bogus URL within your examples to prevent the
curious from clicking on the link (I just noticed we neglected to do that in
one of examples - my bad!).

Hope this helps - Dave
Dave Kovarik, ISS/C
Northwestern University
Office: (847) 467-5930
________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane
Sent: Tuesday, May 13, 2008 12:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Differentiating Between Real and Phishing Emails to
Staff and Students
Hi All,
I regularly send out emails to staff and students advising on phishing
scams, general security alerts, password changes etc.  As the frequency of
targeted phishing scams increase, I continue to get more queries by staff
and students questioning if the very emails I send to staff and students are
valid or a scam.
I would be interested in knowing how other institutions are providing
increasing assurance to staff and students that emails from their IT or
Security section are valid.
Examples might include disclaimers, digital signatures or encryption etc,
but if this is an area you have looked at and addressed could you please
advise.
Thanks,
Tim
Tim Lane
Information Security Manager
IT&TS
Southern Cross University
Ph (02) 6620 3530
Mobile 0418 248 571

Current thread:

Differentiating Between Real and Phishing Emails to Staff and Students Tim Lane (May 12)
- <Possible follow-ups>
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Joel Rosenblatt (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students David Kovarik (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Kubb, Rick (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Bob Bayn (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Mike Waller (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Sarah Stevens (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Ozzie Paez (May 14)