Re: Self-Phishing - Pre Launch Messages

[James Farr <jfarr () UTICA EDU>]

Self-Phishing - Pre Launch Messages

I found those Brad’s and other posts helpful during my preplanning
processes.  This is probably a good time to share the links again for
anyone else just getting started.



Thank you security list for your ideas, communications, and support.  If
all goes well I am on the home stretch.



James Farr ’05 G’12

Director of Information Security

Utica College

jfarr () utica edu

315-223-2386



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Valerie Vogel
*Sent:* Tuesday, November 15, 2016 2:36 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Self-Phishing - Pre Launch Messages



Greetings,

Here are two relevant resources developed by the community about phishing
simulation programs and campaigns:



A blog post by Brad Judy about “Phishing Your Users”:
https://er.educause.edu/blogs/2016/4/phishing-your-users



This document briefly explains the benefits and potential risks of
deploying a phishing simulation program, and also includes a list of
popular phishing simulation programs or tools to consider.
https://library.educause.edu/resources/2016/4/phishing-simulation-programs



Thank you,

Valerie





*Valerie Vogel* Program Manager, Cybersecurity

*EDUCAUSE*
*Uncommon Thinking for the Common Good*

direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil |
educause.edu <http://www.educause.edu/>



*From: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> on
behalf of Eric Weakland <eric () american edu>
*Reply-To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Tuesday, November 15, 2016 at 11:27 AM
*To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] Self-Phishing - Pre Launch Messages



James,



We started out telling people exactly – down to the Date and exact time
when we would start the campaign.  Then just the day.  Then “latter half of
the week.”  Then “this week.”  Then “this month.”



Now we’re down to notifying that it would happen throughout the semester.
Notifying in Fall and after Winter break.  I think “boiling the frog” is a
good strategy here.  We haven’t had many complaints, but a word of advice –
be careful using some of the phishing templates that vendors have that use
a scare tactic saying “A hacker stole your password” – this prompted some
faculty anger when they fell for it and reset all their passwords and had
to deal with the pain of that.



Hope this helps,


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

_____________________________________________
Emails from IT asking you to log in with a link are scams!





*From: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of James Farr <jfarr () UTICA EDU>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Tuesday, November 15, 2016 at 11:19 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *[SECURITY] Self-Phishing - Pre Launch Messages



We are exploring self-phishing options with our faculty staff andpossible
students.   Wewant to provide notification to the users about the program
before we send any actual phishing messages. We are thinking that
notifications should be mentioned at orientation with an annual email
reminder.

How often do you notify your users about the self-phishing program?

Can anyone share examples of campus notifications sent out prior to
implementing this type of program?

James Farr ’05 G’12

Director of Information Security

Utica College

jfarr () utica edu

315-223-2386