Re: Phishing and Security Awareness Training - Faculty

["Sburlea, Stefan" <sburlea () CHAPMAN EDU>]

That is how phishing works.



Best Regards,

Stefan Sburlea

Chapman University, IS&T
Information Security Specialist
sburlea () chapman edu
Desk Phone: 714-744-7802
Chapman University I One University Drive I Orange, California 92866
UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, 
Martin
Sent: Thursday, April 14, 2016 5:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty

Precisely. For some subset of the recipient population, the phish is going to align with a circumstance in their lives 
at that moment that will make it exponentially more credible.

Marty Manjak
ISO
University at Albany
Sent from my iPhone

On Apr 13, 2016, at 16:55, Bob Bayn <bob.bayn () USU EDU<mailto:bob.bayn () usu edu>> wrote:

Paul Chauvet <chauvetp () NEWPALTZ EDU<mailto:chauvetp () newpaltz edu>> reports mild defensive reactions to phishing 
training including:

  Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or IT, or 
Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm so 
busy" or "You got me because I didn't have my coffee yet"



I'd say that's the likely explanation set for people who fall for REAL phish messages, too.



Even though we still refer to the "gullible...skeptical...paranoid" continuum in our training, most victims of real 
phish are not actually gullible but are either multi-tasking and not giving the threat enough attention to recognize it 
or the phishing "story" happens to coincide with what is happening in the recipient's life at the moment.  Spanning 
phishers can afford to use a specific story that only rings true with a few of their recipients, because it doesn't 
cost them anything to not fool the others.




Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University

    Report any suspicious message by forwarding it as an
    attachments (ctrl-alt-F in Outlook) to phish () usu edu<mailto:phish () usu edu>.
    The attachment format preserves hidden delivery header
    information that is helpful for reporting or blocking.

    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    
https://it.usu.edu/computer-security/computer-security-threats/articleID=23737<%20https:/it.usu.edu/computer-security/computer-security-threats/articleID=23737>


________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv 
educause edu>> on behalf of Paul Chauvet <chauvetp () NEWPALTZ EDU<mailto:chauvetp () newpaltz edu>>
Sent: Wednesday, April 13, 2016 2:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu>
Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty


Hi Stefan,



We've been doing phishing simulations of one form or another for 3-4 years now.  They have been extremely effective and 
very well received.  It has been extremely rare that we have had negative reactions to it.



Those reactions have been primarily:

*         Mild defensive reactions "I only fell for this because I was expecting a message from Human Resources" (or 
IT, or Payroll, or whatever department we used as the 'from' for internal phishing), or "I only fell for it because I'm 
so busy" or "You got me because I didn't have my coffee yet"

....[snip]