Educause Security Discussion mailing list archives

Re: Phishing Links

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 7 Jul 2010 11:24:08 -0700

 Don't be discouraged! Awareness is very challenging, but it can be effective as an ongoing effort without any silver 
bullets. 

 The University of Wisconsin recently created some very clever ads that we think do a good job of directly addressing 
phishing. We are pretty excited about them, and plan on distributing a version of them in the coming weeks:
   http://www.cio.wisc.edu/security/awareness/09campaign.aspx

 Every little effort helps! :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security Office
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pete Hickey
Sent: Wednesday, July 07, 2010 11:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing Links

I gave up.  You can't fight it.  The worst here was a time we...
because of a possible 'incident'... we wanted everyone to change a password
(legacy... we can't force change passwords on that
system)  The PR people actually wanted to send out an email saying due to
xxxxx we are requiring everyone to change passwords.  Click here to change
yours.

Yeah!

When the 'make it easy for the user at all costs' mindset is around, it's a
tough fight.  (I did win that one by putting their message alongside a phishing
one).  More abstract than that just would not work.

On Wed, Jul 07, 2010 at 02:05:41PM -0400, James Farr '05 wrote:

It is hard to educate some users on the difference between legitimate
and phony web links in email, and it is easy enough to fake a website.
For that reason I would like to propose that no official college
communication is sent with an active link in it.

Problems,

Some clients while trying to be helpful make links clickable that I do
not want clickable.

Links can be inserted as a picture, but not all clients show pictures
by default.

We can give directions to a website, in order to check your mail go to
our homepage, click on login and select webmail, but some users
cannot/will not follow those instructions.



Would this solution cause more harm than good?



What are your thoughts/rules?



IITS will never ask you for your password.  Never email your password
to anyone.



James Farr

Information Security Officer

Instructional Technologist

Utica College

 <mailto:jfarr () utica edu> jfarr () utica edu

315-223-2386


--
Pete Hickey
The University of Ottawa            "Everyone knows someone
Ottawa, Ontario                      who knows someone else"
Canada

Current thread:

Phishing Links James Farr '05 (Jul 07)
- Re: Phishing Links Ben Woelk (Jul 07)
- Re: Phishing Links Pete Hickey (Jul 07)
  - Re: Phishing Links Basgen, Brian (Jul 07)
    - Re: Phishing Links James Farr '05 (Jul 07)
    - Re: Phishing Links Jeff Kell (Jul 07)
- Re: Phishing Links Justin Azoff (Jul 07)
  - Re: Phishing Links David Escalante (Jul 07)
- Re: Phishing Links Eric Case (Jul 07)
  - Re: Phishing Links Joel Rosenblatt (Jul 07)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
  - Re: Phishing Links Pete Hickey (Jul 07)
    - Re: Phishing Links Martin Manjak (Jul 07)
    - Re: Phishing Links Ben Woelk (Jul 07)

(Thread continues...)