Educause Security Discussion mailing list archives

Re: Self-Phishing - show of hands

From: Eric Weakland <eric () AMERICAN EDU>
Date: Thu, 11 Feb 2016 11:06:29 -0500

Thank you Kevin!

Eric

From:   "Kevin P. Sale" <Kevin.Sale () KAUST EDU SA>
To:     SECURITY () LISTSERV EDUCAUSE EDU, 
Date:   02/11/2016 10:51 AM
Subject:        Re: [SECURITY] Self-Phishing - show of hands
Sent by:        The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>

We phish our entire organization on a rolling schedule of click only, 
attachment and credential submission emails every 6-9 months. We also 
phish all new starters. 
The program has been running for just over 2 years now. 
We're using PhishMe and we are very happy with it. 

We have found it a very effective awareness tool, with some of our top 
leadership being both the most susceptible to our tests and then most 
supportive. 

Work with HR and Legal when planning the program to make sure you don't 
upset anyone too much and to also provide you some cover when inevitably 
you catch a whale and they start complaining. 

Kevin Sale. 

Sent from mobile device. Please excuse the brevity and any spelling 
mistakes.

_____________________________
From: Eric Weakland <eric () american edu>
Sent: Thursday, February 11, 2016 6:38 PM
Subject: [SECURITY] Self-Phishing - show of hands
To: <security () listserv educause edu>

Greetings, 

I'm working on a publication on self phishing for HEISC and preparing to 
leverage our self-phishing service (SANS) in the coming year.  I am trying 
to develop a list of universities who are doing "self phishing". 

If your institution is self phishing your community - would you mind 
dropping me a note with the following items. 

Who are you phishing? (Select groups, All Staff, All Faculty, All 
Students, everyone etc.) 
What are you using? (Vendor, custom or opensource and the name of the 
vendor or project.) 
How long have you been phishing your customers? 

Thanks everyone! 

Regards, 

Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology 
American University
eric at american.edu
202.885.2241

_____________________________________________
Emails from IT asking you to log in with a link are scams! 

This message and its contents including attachments are intended solely 
for the original recipient. If you are not the intended recipient or have 
received this message in error, please notify me immediately and delete 
this message from your computer system. Any unauthorized use or 
distribution is prohibited. Please consider the environment before 
printing this email.

Current thread:

Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Kevin P. Sale (Feb 11)
  - Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Jeff Choo (Feb 11)
- Re: Self-Phishing - show of hands Feehan, Patrick (Feb 11)
  - Re: Self-Phishing - show of hands Eric Weakland (Feb 11)
- Re: Self-Phishing - show of hands Dennis Duncan (Feb 11)
  - Re: Self-Phishing - show of hands Stefan Wahe (Feb 11)
  - Re: Self-Phishing - show of hands Christine Streeter (Feb 11)
    - Re: Self-Phishing - show of hands Jenny Blaine (Feb 11)
    - Re: Self-Phishing - show of hands Sol Bermann (Feb 12)
- Re: Self-Phishing - show of hands Melanie Lever (Feb 12)
- Re: Self-Phishing - show of hands George Moore (Feb 16)

(Thread continues...)