Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: phishing irony

From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 13 Feb 2009 08:16:48 -0500
Valdis Kletnieks wrote:

On Thu, 12 Feb 2009 09:55:25 CST, "HALL, NATHANIEL D." said:

Why stop sending examples?  To me it seems like a perfect opportunity to
educate those users who responded.


What little gain you get in education is *vastly* outweighed by the fact that
you can no longer say "WE NEVER ASK FOR PASSWORDS IN EMAIL". You might be able
to get that 7-word version to stick in the average user's brain.

You start trolling your users like this, and what they'll *remember* is:

"IT doesn't ask for our passwords in e-mail, except if it's a training event,
oh and didn't I hear from somebody down the hall they'd do it if they lost the
password database and had to rebuild it, just like this e-mail says they're
doing, and 2 or 3 other cases they'd do it even though they usually don't..."


I hadn't thought of that.

We'd considered a phish testing/awareness campaign a year or so ago
but the higher-ed email phishers are doing a pretty good job of it
for us now.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: