Re: Phishing your users

[Daniel Robert Adinolfi <dra1 () CORNELL EDU>]

On Feb 18, 2015, at 10:06 AM, "Hillhouse, Bob (Bob)" <bob () UTK EDU> wrote:

> We are interested in this as well. I’ve considered a “Phish-Bowl” website where I post real examples of phishing 
> emails that we’ve received as well as images of some of the standard bank or delivery service emails. It is one of 
> the most prevalent forms of unintentional insider misuse we see.

In addition to a "Phish Bowl", consider also having a site that lists verified communications from your administration, 
HR, etc.  (This site should be locked down to your community, so the bad guys don't use the samples there for more 
sophisticated spear phishing.)  We have such a site so people can check on an official-looking message before reporting 
it (erroneously) as a phish.  The hard part is training your administrators to send messages to your office ahead of 
time to add legit messages before they get sent.

(Once these two components are in place, the truly hardest part is training folks to check those sites before 
inundating your support email queues with "I saw this phish and I wanted to share it with you and I tried to send it 
but your mail system blocked it so how can I report this phish if you won't let it get sent".)

-Dan


_______________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of the CIO
email: dra1 () cornell edu  phone: 607-255-7657