Re: Phishing stats

[Matthew Wollenweber <mjw () CYBERWART COM>]

I'm new to the academic scene, but having been a consultant --
primarily a pen tester we often had 60% success rates during phishing
exercises. Results generally started coming back within 15 minutes.
Filters occassionally caused problems, but that just meant we tweaked
a little.  I can't recall a phishing campaign that ever failed to
enable some level of access.

The best advice is to assume you have many users compromised by
phishing fairly regularly. With that assumption try to build security
mechinisms to respond to and mitigate the damage.

On Tue, Sep 29, 2009 at 10:32 PM, Pete Hickey <pete () shadows uottawa ca> wrote:
> On Tue, Sep 29, 2009 at 10:15:55PM -0400, Joel Rosenblatt wrote:
> > Hi Todd,
> >
> > I think that you may get better results by asking if there are any
> > universities on this list that have NOT be successfully hit by phishing
> > attempts.
> >
> > My guess would be that those do not get any email :-)
>
> Phew!  I was worried that maybe we were the only one....
>
> FWIW, at our place, we find that those being fooled.....
> 3 out of 5 are profs... 1 out of 5 staff, and 1 out of 5
> students...  In spite of the fact that we have something like
> 10 times as many students as the others combined.
>
> --
> Pete Hickey                          Fudds Law:
> The University of Ottawa             If you push something
> Ottawa, Ontario                      hard enough
> Canada                               It will fall over.



-- 
Matthew Wollenweber
mjw () cyberwart com
240-753-0281