Re: Differentiating Between Real and Phishing Emails to Staff and Students

[Bob Bayn <Bob.Bayn () USU EDU>]

Tim at Southern Cross wrote:
> I regularly send out emails to staff and students advising on phishing
> scams, general security alerts, password changes etc.  As the frequency of
> targeted phishing scams increase, I continue to get more queries by staff
> and students questioning if the very emails I send to staff and students are
> valid or a scam.
>
> I would be interested in knowing how other institutions are providing
> increasing assurance to staff and students that emails from their IT or
> Security section are valid.
>
> Examples might include disclaimers, digital signatures or encryption etc,
> but if this is an area you have looked at and addressed could you please
> advise.

That's a topic for our Users Advisory Committee meeting this week.  We
are not just concerned with being mistaken for phishing messages seeking
information but also other email inducements to visit  malware-infected
web sites.  Of course, the fact that we have users who are suspicious of
our legit messages doesn't preclude the fact that we also have users whose
pictures are next to the definition of "gullible" at www.dictionary.com.

After getting a little harsh with the first user who contacted us to
question the legitimacy of one of our messages, I apologized and have
taken the approach of congratulating them for being an "internet skeptic"
and telling them about the things we do to make our messages recognizably
real.

Of course, any guidelines we can give to recognize real messages from us
will only distinguish us from relatively generic phishing but can then be
used against us in a well crafted spear-phishing attack.

We tell them:
1) we'll never send you important info in attachments
2) we'll never ask for your password in email
3) we'll always send our message with some standard features including:
  a) spell out "Utah State University" and not "USU" which can be gleaned
     from our domain name.
  b) sign our messages from an individual on our staff who is in the phonebook
     (none of the "customer care center" or "the usu.edu team" stuff)
  c) include our actual unit title and location
4) we'll never make changes on short notice that require you to take
   significant irrevocable action ("You have 48 hours or we'll delete your
   email account")
5) we'll always identify the constituency receiving a bulkmail messsage.

And I like to include something timely and local, if irrelevant, that a
phisher wouldn't think to do.  For instance:
1) "While you're resting at your desk recovering from shoveling all that
snow we got overnight, read this:"
2) "Take your mind off the disappointing withdrawal of Mitt Romney from
the presidential race by reading this:"
3) "I hope you weren't stuck in traffic because of the accident on North
Main this morning and have time to read this:"
4) "Even though Parking Services just raised the price of a parking permit,
I need to have you read this:" (parking service complained about that one)

--
Bob Bayn  ride-a-bike (435)797-2396
Network Security Team coordinator
Office of Information Techology
Utah State University