Educause Security Discussion mailing list archives

Re: phishing irony

From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Fri, 13 Feb 2009 08:47:27 -0700

Hey Pat,
I am pretty sure that this is the company.  I believe that they were either
called something different or spun out of a different security company.  I
remember their lead person saying that they were reorganizing that aspect of
what they did to make it easier for clients to get the service.
Ozzie Paez
SSE/CISSP
SAIC
303-332-5363

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Falcon, Patricia
Sent: Friday, February 13, 2009 8:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] phishing irony

This sounds like the company Phishme (http://phishme.com/), which
launched a service like this last summer.

Has anyone had any experience with their product or similar software?

Pat Falcon
IT Security Policy and Communication Coordinator
Computing and Information Services || Information Security Group
Brown University


-----Original Message-----
From: Ozzie Paez [mailto:ozpaez () SPRYNET COM]
Sent: Thursday, February 12, 2009 10:45 AM
Subject: Re: phishing irony

One of the more useful and interesting approaches to awareness and
training
that I have seen involved a company that would come into the
organization
and create a fake web site that looked similar to the real one.  They
would
then send out phishing messages to the 'target' population and track the
response.  When someone used the fake link to log on, they would get a
message telling them in a nice, funny, serious (pick your style) way
that
they 'got phished'; the message would explain the implications, policies
and
provide a training link.  The statistics from the program would then be
provided to the client so that they could track how well their users
were
doing in avoiding phishing attacks.  While I could not independently
verify
it, they claimed that the approach improved the effectiveness of
security
training in this area by over 85%.  Anyway, this sounds like a fairly
simple
and low cost method to assess how well users are doing avoiding phishing
attacks and for measuring training performance.  My guess is that it
could
also be done in-house without much effort.

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363

Current thread:

Re: phishing irony, (continued)
- Re: phishing irony HALL, NATHANIEL D. (Feb 12)
- Re: phishing irony Pete Hickey (Feb 12)
- Re: phishing irony Matthew Gracie (Feb 12)
- Re: phishing irony Valdis Kletnieks (Feb 12)
- Re: phishing irony Gary Flynn (Feb 13)
- Re: phishing irony James (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Falcon, Patricia (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Leo Song (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Chris Edwards (Feb 13)
- Re: phishing irony Leon DuPree (Feb 13)
- Re: phishing irony Zach Jansen (Feb 13)
- Re: phishing irony Valdis Kletnieks (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Harris, Michael C. (Feb 13)
- Re: phishing irony Allison Dolan (Feb 13)