Re: phishing irony

[Zach Jansen <zjanse20 () CALVIN EDU>]

We did this a few months ago in an attempt to reach a broader group of people in our anti-phishing education efforts. 
Like most of you we've put up posters, sent emails both direct and broadcast, etc in an attempt to educate folks about 
the need to keep their institutional passwords to themselves. The only education method I found relatively (and 
measurably) effective was emailing people who had fallen for attacks. Most people didn't fall for an attack twice after 
I pointed out to them what they had done. Nicely of course. Sending out a fake phishing attack was a natural next step 
in educating folks about phishing as we could educate those likely to fall for attacks before the attackers did. We did 
it as part of Cyber Security Awareness month after sending out the usual forms of education about phishing and password 
sharing just to make sure everyone had a chance to be educated on their own before we sent out the email.  

The hardest part of the whole exercise was getting buy in. What made it easier to get buy in was pointing our that 
there was nothing in the exercise that wasn't already being done to our users on a regular basis by phishers. What we 
did was very similar to the phishing emails educational institutions have been getting for the last year or so. 

The fake phishing email itself was pretty easy to setup. I used non edu domain to setup a web page which looked like 
one of our login pages and sent an email to our users "from" an entity on our campus (forged, just like the phishing 
emails we've been getting). The email contained a good sampling of the kinds of grammatical and spelling errors 
frequently seen in phishing emails. The web page redirected to an educational page explaining what had happened, and 
had a nice graphic from our anti-phishing training and summary of what the signs were that the email was a phishing 
attack. We kept statistics of the number of people who responded and were able to develop some demographic data as well 
which was very interesting. We made no effort to single out any of the "victims" for further education, we figured the 
web page would be enough and didn't want to rub in the victim feeling. I think that's important.

The issue of trust with respect to this exercise has been discussed quite a bit, with those choosing not to implement 
this kind of exercise generally stating that they chose not to because they were afraid of losing trust with their 
users. Statements such as "IT will never ask you for your password" are thrown around. However, I suggest that 
statement is not true. "IT SHOULD never ask you for your password" is more correct and "You should never share your 
password" is correct. Training efforts should be training our staff/students/faculty on how to react appropriately to 
situations that may arise in the real world. In an ideal world nobody (not even IT attempting a legitimate support 
function) will ever ask for someone else's password, in reality it happens all the time . We chose to train people here 
on how to react to real world situations, such as someone asking for their password.

That said, you have to evaluate for your own institution whether this is an effective exercise. Maybe your 
faculty/staff/students will be so deeply offended it will prevent you from being effective in other areas. There may be 
cultural reasons for that, but we didn't run into that here. Having done the exercise I can understand not wanting to 
do it at another institution. It may not be appropriate or necessary there. However, I have been pleased with the 
results here and hope it will be proven an effective method for training on phishing. 

I can't say whether this has improved phishing education here as I don't have any hard data to show improvement. 

These appear to be relevant companies selling this kind of training as a service, though I don't have experience with 
companies, the wombat security folks appear to be a spin off from the anti-phishing phil group. 

http://www.phishme.com/
http://wombatsecurity.com


Zach






-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 2/12/2009 at 10:45 AM, in message <012501c98d28$e345a3d0$a9d0eb70$@com>,
Ozzie Paez <ozpaez () SPRYNET COM> wrote:
> One of the more useful and interesting approaches to awareness and training
> that I have seen involved a company that would come into the organization
> and create a fake web site that looked similar to the real one.  They would
> then send out phishing messages to the 'target' population and track the
> response.  When someone used the fake link to log on, they would get a
> message telling them in a nice, funny, serious (pick your style) way that
> they 'got phished'; the message would explain the implications, policies and
> provide a training link.  The statistics from the program would then be
> provided to the client so that they could track how well their users were
> doing in avoiding phishing attacks.  While I could not independently verify
> it, they claimed that the approach improved the effectiveness of security
> training in this area by over 85%.  Anyway, this sounds like a fairly simple
> and low cost method to assess how well users are doing avoiding phishing
> attacks and for measuring training performance.  My guess is that it could
> also be done in-house without much effort.
>
> Ozzie Paez
> SSE/CISSP
> SAIC
> 303-332-5363
>    Email/IM: jesse.thompson () doit wisc edu