Re: FYI: Another round of spear Phishing

[Matthew Gracie <graciem () CANISIUS EDU>]

Koerber, Jeff wrote:
> Since our spam filters don't seem to be working for these Phishing
> attempts, education is the only other alterative.  I was thinking
> about sending out a phony phishing message to all students.  It would
> direct users to a lighthearted website (entitled "You shouldn't have
> clicked on this link") and it would educate them about Phishing and
> let them know that we would never ask for their password and how they
> should never give out their password to anyone.  That will target the
> people we want to receive the message.
>
> Has anyone tried something like this? Do you think it is a good idea?
> I could see some saying that they were upset to find out that we were
> behind this stunt.

I suggested something like this to our CIO last year, and he pointed out
(rightly) that if we do something like this we're going to lose a huge
amount of credibility with our user base.

For example, right now we're starting an AD deployment, and for various
reasons I won't get into here we need our users who are testing it to
reset their passwords with a web app. I don't think they'd be so willing
to respond to a legitimate request like this if they thought we were
testing them again. Nobody likes to be painted as a fool.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg