Re: phishing irony

["HALL, NATHANIEL D." <halln () OTC EDU>]

It might seem deceptive, but you don't have to tell them the IT department sent the e-mail.  It is probably best if 
they don't know.  When I see a phishing e-mail come to any of my multiple college mailboxes I do a search to see if 
anybody has replied.  If they have then I contact them.  Why not act the same way with the IT generated messages?

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Thursday, February 12, 2009 10:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] phishing irony

On Thu, 12 Feb 2009 09:55:25 CST, "HALL, NATHANIEL D." said:
> Why stop sending examples?  To me it seems like a perfect opportunity to
> educate those users who responded.

What little gain you get in education is *vastly* outweighed by the fact that
you can no longer say "WE NEVER ASK FOR PASSWORDS IN EMAIL". You might be able
to get that 7-word version to stick in the average user's brain.

You start trolling your users like this, and what they'll *remember* is:

"IT doesn't ask for our passwords in e-mail, except if it's a training event,
oh and didn't I hear from somebody down the hall they'd do it if they lost the
password database and had to rebuild it, just like this e-mail says they're
doing, and 2 or 3 other cases they'd do it even though they usually don't..."