Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: phishing irony

From: James <security () CYCLOHEXANE NET>
Date: Fri, 13 Feb 2009 13:52:09 -0000
Maybe I've missed your point entirely, but sending out your own phish emails
to see who replies doesn't change the "IT dept. will never ask for my
password" rule. People are not supposed to reply, the rule still holds.
Anyone who does reply hasn't followed the rule and you get to know about it
and educate them before they reply to a real phish.

James

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Friday, February 13, 2009 4:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] phishing irony

On Thu, 12 Feb 2009 09:55:25 CST, "HALL, NATHANIEL D." said:

Why stop sending examples?  To me it seems like a perfect opportunity
to educate those users who responded.


What little gain you get in education is *vastly* outweighed by the fact
that you can no longer say "WE NEVER ASK FOR PASSWORDS IN EMAIL". You might
be able to get that 7-word version to stick in the average user's brain.

You start trolling your users like this, and what they'll *remember* is:

"IT doesn't ask for our passwords in e-mail, except if it's a training
event, oh and didn't I hear from somebody down the hall they'd do it if they
lost the password database and had to rebuild it, just like this e-mail says
they're doing, and 2 or 3 other cases they'd do it even though they usually
don't..."
Previous By Date Next
Previous By Thread Next

Current thread: