Educause Security Discussion mailing list archives

Re: Phishing E-mail Procedures

From: Robert Meyers <remeyers () MAIL WVU EDU>
Date: Thu, 26 Jan 2012 11:34:26 -0500

I groaned and rummaged through my basement looking for my old fishing hip waders when this task landed on me. 
All poor puns intended!
Thanks to all for your input.
 
Bob


 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers () mail wvu edu

On Thursday, January 26, 2012 at 11:31 AM, Jesse Thompson <jesse.thompson () DOIT WISC EDU> wrote:


It depends entirely on what you plan to do with the phishing emails once 
users have submitted them to you.  For example:

1) Forward them to your anti-spam vendor so that they can improve their 
detection.  Your vendor probably already has an automated process for 
this, so there's little need for your security group to be a middleman 
(costly and adds a delay).  So, you should automate this if you can.

2) If the phish is the type that asks users to reply via email with 
their credentials, then you can take action by scanning outbound email 
logs to see if users are replying to the scams.  Better yet, add the 
reply address to the APER list 
(https://code.google.com/p/anti-phishing-email-reply/) and use the full 
APER list for outbound mail log scanning.

3) If the phish is a link to a web form, then you can try to get the 
form shut down, etc.

4) You can monitor trends.  Is your anti-spam vendor not catching 
enough?  Get on the phone and complain loudly.  Are your users not 
realizing the messages are scams?  Improve your mitigation process by 
modifying the subject/body of the scams, for example.  Are your users 
too gullible?  Start educating them.  Etc.

Also, keep in mind that users don't know to distinguish from phishing 
targeted at your edu resources, vs personal resources (such as banks). 
So you'll be wading through a bunch of submissions that are out of your 
purview.

Jesse
(Wisconsin-Madison)

On 1/26/12 10:03 AM, Robert Meyers wrote:

I have been tasked with writing guidelines and procedures for an
official process on how to handle inbound phishing and/or otherwise
malicious e-mail. The bottom line is we will be asking our user to
forward all such e-mail to a central account where we will check it for
any further action. Does anyone in the group have a similar process they
could share? I'm in favor of continuing to tell users to delete the
e-mails and go on about their business, but the task is on my desk.
Thanks
Bob
Robert E. Meyers, Ms.Ed.
Educational Program Manager
Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers () mail wvu edu

Current thread:

Phishing E-mail Procedures Robert Meyers (Jan 26)
- Re: Phishing E-mail Procedures Colleen Keller (Jan 26)
- Re: Phishing E-mail Procedures Pete Hickey (Jan 26)
- Re: Phishing E-mail Procedures Bob Bayn (Jan 26)
- Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
  - Re: Phishing E-mail Procedures Robert Meyers (Jan 26)
  - Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
    - Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
    - Re: Phishing E-mail Procedures Doty, Timothy T. (Jan 26)
    - Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
    - Re: Phishing E-mail Procedures Tim Doty (Jan 26)
    - Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
    - Re: Phishing E-mail Procedures Tim Doty (Jan 26)
- Re: Phishing E-mail Procedures Mike Porter (Jan 26)
  - Re: Phishing E-mail Procedures Roger A Safian (Jan 26)