Re: phishing irony

["Falcon, Patricia" <Patricia_Falcon () BROWN EDU>]

This sounds like the company Phishme (http://phishme.com/), which
launched a service like this last summer. 

Has anyone had any experience with their product or similar software?

Pat Falcon
IT Security Policy and Communication Coordinator
Computing and Information Services || Information Security Group
Brown University 


-----Original Message-----
From: Ozzie Paez [mailto:ozpaez () SPRYNET COM] 
Sent: Thursday, February 12, 2009 10:45 AM
Subject: Re: phishing irony

One of the more useful and interesting approaches to awareness and
training
that I have seen involved a company that would come into the
organization
and create a fake web site that looked similar to the real one.  They
would
then send out phishing messages to the 'target' population and track the
response.  When someone used the fake link to log on, they would get a
message telling them in a nice, funny, serious (pick your style) way
that
they 'got phished'; the message would explain the implications, policies
and
provide a training link.  The statistics from the program would then be
provided to the client so that they could track how well their users
were
doing in avoiding phishing attacks.  While I could not independently
verify
it, they claimed that the approach improved the effectiveness of
security
training in this area by over 85%.  Anyway, this sounds like a fairly
simple
and low cost method to assess how well users are doing avoiding phishing
attacks and for measuring training performance.  My guess is that it
could
also be done in-house without much effort.

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363