Re: attempts sending fake phishing messages to students and/or employees

[Bob Bayn <bob.bayn () USU EDU>]

Don Miller asked:
> Has anyone attempted, or thought about, sending fake phishing messages
> to your students and/or employees?

Valdis Kletnieks replied:
> If your message is "We will never ask you for your password", this is a
> *really* bad idea because it confuses your users and shoots your credibility.
>
> We usually just wait for a real phish to get reported, then block the address
> outbound and trap any attempts to reach it.  Anybody who tries it gets
> targeted for re-education.

We toyed with this notion, but the decision was made by our state board of
trustees who sent a security audit team that conducted a fake phish as one
of their activities.

They phished about 750 addresses, as I recall, and it only took 20 minutes for
the first inquiries to hit our helpdesk and begin an active discussion on our
campus-wide tech support staff list.  It also caused some long lasting strains
in relations between central IT (innocent bystanders in the decision) and parking
services (target of the phish).

Meanwhile, as Valdis describes, real phishers give us the opportunity, once 
detected, to identify and contact recipients, send an explanatory warning, and
install a DNS redirect of the host webserver or block the outbound address.

That approach is only unsatisfying (to me) in a few ways:
1) Our response is triggered after a suspicious recipient reports the phish to us.
This step usually happens within a few hours of delivery of the phish messages,
so some recipients may have already "bitten".

2) the detected recipient list seems to always be more or less the same subset 
of users who have been on the 'net a while, so our followup education only goes 
to that subset.  some phishes may be going to a whole different subset of our
users.

3) we can only block replies and website accesses from recipients who are on
our network or using our SMTP services.  At-home users and distance ed users
can be harder to "protect" and identify.

4) Email for our whole student population has been outsourced to gmail so we
are unable to identify phish recipients in that major part of our population.

If we controlled a fake phish exercise, we could overcome many of those problems,
but the credibility damage is an obvious deterrent for us. 


Bob Bayn        (435)797-2396      Security Team coordinator
        “The pain of the exploit is worse than
          the pain of the patch.” -Publilius Syrus
Office of Information Technology   at  Utah State University