Educause Security Discussion mailing list archives
Re: Differentiating Between Real and Phishing Emails to Staff and Students
From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Tue, 13 May 2008 09:18:32 -0600
Tim at Southern Cross wrote:
I regularly send out emails to staff and students advising on phishing scams, general security alerts, password changes etc. As the frequency of targeted phishing scams increase, I continue to get more queries by staff and students questioning if the very emails I send to staff and students are valid or a scam. I would be interested in knowing how other institutions are providing increasing assurance to staff and students that emails from their IT or Security section are valid. Examples might include disclaimers, digital signatures or encryption etc, but if this is an area you have looked at and addressed could you please advise.
That's a topic for our Users Advisory Committee meeting this week. We are not just concerned with being mistaken for phishing messages seeking information but also other email inducements to visit malware-infected web sites. Of course, the fact that we have users who are suspicious of our legit messages doesn't preclude the fact that we also have users whose pictures are next to the definition of "gullible" at www.dictionary.com. After getting a little harsh with the first user who contacted us to question the legitimacy of one of our messages, I apologized and have taken the approach of congratulating them for being an "internet skeptic" and telling them about the things we do to make our messages recognizably real. Of course, any guidelines we can give to recognize real messages from us will only distinguish us from relatively generic phishing but can then be used against us in a well crafted spear-phishing attack. We tell them: 1) we'll never send you important info in attachments 2) we'll never ask for your password in email 3) we'll always send our message with some standard features including: a) spell out "Utah State University" and not "USU" which can be gleaned from our domain name. b) sign our messages from an individual on our staff who is in the phonebook (none of the "customer care center" or "the usu.edu team" stuff) c) include our actual unit title and location 4) we'll never make changes on short notice that require you to take significant irrevocable action ("You have 48 hours or we'll delete your email account") 5) we'll always identify the constituency receiving a bulkmail messsage. And I like to include something timely and local, if irrelevant, that a phisher wouldn't think to do. For instance: 1) "While you're resting at your desk recovering from shoveling all that snow we got overnight, read this:" 2) "Take your mind off the disappointing withdrawal of Mitt Romney from the presidential race by reading this:" 3) "I hope you weren't stuck in traffic because of the accident on North Main this morning and have time to read this:" 4) "Even though Parking Services just raised the price of a parking permit, I need to have you read this:" (parking service complained about that one) -- Bob Bayn ride-a-bike (435)797-2396 Network Security Team coordinator Office of Information Techology Utah State University
Current thread:
- Differentiating Between Real and Phishing Emails to Staff and Students Tim Lane (May 12)
- <Possible follow-ups>
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Joel Rosenblatt (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students David Kovarik (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Kubb, Rick (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Bob Bayn (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Mike Waller (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Sarah Stevens (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Ozzie Paez (May 14)