Re: Differentiating Between Real and Phishing Emails to Staff and Students

[Mike Waller <mwaller.distro () GMAIL COM>]

We wrestled with this at my last job, which was at a medical research
institution. On the one hand, we wanted to educate and increase the
awareness of the many scams out there, but we didn't want to push our campus
audience into tuning out.

I think the best thing you can do is to vary your delivery method and focus
on those areas that have some novelty -- either a new type of scam, a new
delivery method or something new in the world of social engineering. If
you're doing that, you're probably going to see your best results. Too many
emails builds up a certain fatigue and will cause your emails to wind up as
part of that vast hiss of email white noise users ignore. Focus on varying
the delivery methods. In addition to email, use alerts on various campus
websites, mention the scams in meetings/training, use posters, etc. There
are a lot of ways to get the word out.

Mike

On Tue, May 13, 2008 at 1:04 AM, Tim Lane <tlane () scu edu au> wrote:

>  Hi All,
>
>
>
> I regularly send out emails to staff and students advising on phishing
> scams, general security alerts, password changes etc.  As the frequency of
> targeted phishing scams increase, I continue to get more queries by staff
> and students questioning if the very emails I send to staff and students are
> valid or a scam.
>
>
>
> I would be interested in knowing how other institutions are providing
> increasing assurance to staff and students that emails from their IT or
> Security section are valid.
>
>
>
> Examples might include disclaimers, digital signatures or encryption etc,
> but if this is an area you have looked at and addressed could you please
> advise.
>
>
>
> Thanks,
>
>
>
> Tim
>
>
>
>
>
>
>
> Tim Lane
>
> Information Security Manager
>
> IT&TS
>
> Southern Cross University
>
> Ph (02) 6620 3530
>
> Mobile 0418 248 571