Re: FYI: Another round of spear Phishing

[Dean Halter <Dean.Halter () NOTES UDAYTON EDU>]

We're in the same boat as far as being subject to recent phishing
campaigns.  We use Ironport and send occasional emails letting folks know
we'll never initiate an exchange of their personally identifiable or
account information.  Unfortunately, it's not enough.  Not trying to
flame, but I don't see conducting a phish test as fostering so much a loss
of credibility, but a loss of flexibility on the part of IT.  I might be
able live w/ that, especially from a security standpoint, if we can still
get projects done employing multiple techniques such as education,
advertising, use of branding, etc. that the bad guys can't match.   As a
previous poster said, "I've yet to see anyone respond twice...."

I certainly agree that no one wants to look the fool.  It's just that the
folks that are going to fall for the test would probably also fall for a
scam.  I am curious to hear what others think of using "deception" to
educate.
> I suggested something like this to our CIO last year, and he pointed out
> (rightly) that if we do something like this we're going to lose a huge
> amount of credibility with our user base.
>
> For example, right now we're starting an AD deployment, and for various
> reasons I won't get into here we need our users who are testing it to
> reset their passwords with a web app. I don't think they'd be so willing
> to respond to a legitimate request like this if they thought we were
> testing them again. Nobody likes to be painted as a fool.

> --Matt
Dean Halter
IT Risk Management Officer
University of Dayton