Re: Response to phishing e-mails

[Robert Meyers <REMeyers () MAIL WVU EDU>]

Some people refuse to change. They are too invested in bad decision making to even consider any other possibility.


Bob Meyers
remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Tuesday, October 28, 2014 4:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Response to phishing e-mails

How has the response to this been? Our problem is those most likely to respond to a phishing attempt will do it before 
we can do anything about it. They’re also not likely to check against a list of phishing attempts. 99% of our problem 
is students; we require a one-on-one sit  down security talk with students if we’ve found that they have responded. Yet 
we’ve even had repeat offenders. I (only half jokingly) suggest that the 3rd offence should involve removing all 
computer privileges and handing them a yellow legal pad and a pen as that is all they can be trusted with.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garmon, 
Joel
Sent: Monday, October 27, 2014 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Response to phishing e-mails

We respond very similar to the DNS redirect and other technical means.  We also have an iframe on several of our main 
web pages such as win.wfu.edu<http://win.wfu.edu> where we post recent phishing attempts so everyone can go there and 
check to see if it is phishing and has it been reported.

[https://webmail.wfu.edu/cotd/cotd-images/mean-fish.png]Phishing Catch of the Day


Thank you,

Joel Garmon
Director Information Security
Wake Forest University
336-758-2972

On Mon, Oct 27, 2014 at 2:57 PM, Joel Anderson <joela () umn edu<mailto:joela () umn edu>> wrote:
We absolutely encourage these reports - we even have a special email "phishing () umn edu<mailto:phishing () umn edu>" 
to receive the messages. This puts them in a special queue *and* gets a custom reply thanking and telling them how to 
give message headers (in case they didnt'). We block email replies, divert DNS to form pages as well as thanking the 
informants. In addition, we seed information into forms to discover where attackers are coming from if (when!) they are 
successful. I just put out a SANS paper on this process.

--
--
   ---------------------------------------------------
   joel anderson * joela () umn edu<mailto:joela () umn edu> *  @joelpetera
   -->  612-625-7389<tel:612-625-7389>  --> pager: 612-648-6823<tel:612-648-6823>
   Security Coordinator
   University Information Security - University of Minnesota