Educause Security Discussion mailing list archives

Re: Self-Phishing - Pre Launch Messages

From: Rob Milman <rob.milman () SAIT CA>
Date: Tue, 15 Nov 2016 12:22:18 -0700

Hi James,

We have just started our phishing campaign for this year. We use SANS STH Phishing to conduct the campaign. They 
strongly advised that we send a pre-launch message, which I’ve included for you below. Our CIO also informed our 
management team about the campaign. Overall the response has been positive.

“As you know, we take information security extremely seriously. Starting next month we will be kicking off phishing 
assessments. A phishing assessment is nothing more than when we send out an email pretending to be a hacker, these are 
the very same email attacks that the bad guys are sending. The only difference is these emails will not harm you in any 
way, they are only designed to measure behaviors and help you learn how to identify these scams and protect yourself. A 
couple of key points:

 *   We will be sending out these emails once a month, on a random day and time. Each month will be different.
 *   If you fall victim to one of these phishing emails you will be notified immediately. However, your name is not 
reported to management or anyone on the security team, it will not impact you in anyway. This training is designed to 
help you learn.
 *   Twenty-four hours after each assessment we will send an email out to everyone explaining the attack and how you 
could have figured out the email was a scam or attack.
If you have any questions about this program or suggestions on how to improve it, please contact (insert your name 
here) . He is responsible for (insert Institution name here) security awareness program and will be happy to hear from 
you.”

Thanks,

Rob

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James 
Farr
Sent: Tuesday, November 15, 2016 9:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Self-Phishing - Pre Launch Messages


We are exploring self-phishing options with our faculty staff and possible students.   We want to provide notification 
to the users about the program before we send any actual phishing messages.  We are thinking that notifications should 
be mentioned at orientation with an annual email reminder.

How often do you notify your users about the self-phishing program?

Can anyone share examples of campus notifications sent out prior to implementing this type of program?

James Farr ’05 G’12

Director of Information Security

Utica College

jfarr () utica edu<mailto:jfarr () utica edu>

315-223-2386

Current thread:

Self-Phishing - Pre Launch Messages James Farr (Nov 15)
- Re: Self-Phishing - Pre Launch Messages David D Grisham (Nov 15)
  - Re: Self-Phishing - Pre Launch Messages Jimenez, Julio (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Shettler, David (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Rob Milman (Nov 15)
- Re: Self-Phishing - Pre Launch Messages Eric Weakland (Nov 15)
  - Re: Self-Phishing - Pre Launch Messages Valerie Vogel (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Sweeney, Sean (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Eric Weakland (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages Tamara Bahr (Nov 15)
    - Re: Self-Phishing - Pre Launch Messages James Farr (Nov 15)