Re: Tips for using third party survey providers

[Ruth Ginzberg <rginzberg () UWSA EDU>]

Don't forget to engage with your procurement department on this issue if you have 3rd parties (wellness programs, 
insurance providers, United Way campaigns, etc.) who plan to send e-mails to your users telling them to click on a link 
to view something at the 3rd party's  website.

Your procurement department may be able to negotiate into the contracts of these 3rd parties the process you want them 
to follow with respect to e-mail notifications of things the provider wants your users to visit a website to view.


Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laura Raderman
Sent: Thursday, March 15, 2018 8:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Tips for using third party survey providers

We *always* include a URL (not specifically linked where we can prevent it) to a trusted cmu.edu site (which site 
depends on which department is sending the message) that includes an exact copy of the message, or as close as we can 
get (for messages that have recipient specific information)

Example: 

***To verify the authenticity of this message, visit  https://www.cmu.edu/iso/news/ncsam-massmail.html ***

 Note:  Your mail reader may have converted the authenticity URL above to be a clickable link.  Depending on your 
device/mail reader, you can check the actual destination of a clickable link by hovering your mouse over the link, 
"right-clicking" on the link, or tap and holding the link.

———————

If we were sending from a 3rd party, the message would include a description of what the mail was, who sent it, why, 
etc.  We also encourage folks using such services to send to themselves first to make sure the message doesn’t 
sound/look too spammy.  We had one department (a large one on campus that many students, staff, and faculty interact 
with) send out a mail advertising “Win a free month of X” and we got *many* many spam reports about it (it was 
legitimate).


Laura Raderman
ISO Policy & Compliance Coordinator
Carnegie Mellon University
lraderman () cmu edu

> On Mar 15, 2018, at 7:47 AM, Scott Stoops <sstoops () ASHLAND EDU> wrote:
>
> We recently sent out an email to our students that contained links to a survey we wanted them to complete. The email 
> had several pieces of information, such as actual contact information, to validate that this was a legitimate email. 
> With an increased awareness on phishing, some of our students questioned the email and reported it as a possible 
> phishing attempt. 
>
> Like everyone, we are walking a sometimes fine line between encouraging people to not click on links from unexpected 
> emails and still getting them to interact when an email is legitimate. What are folks doing either within the email 
> communications themselves or in addition to the emails to indicate that these kinds of things are legitimate?
>
> One suggestion we had was to include our logo in the email but not all vendors will allow this.
> --
> Scott Stoops
> Security Analyst II
> Office of Information Technology | 100 Patterson Technology Center 
> Ashland, OH 44805
> (w) 419-289-5405
> sstoops () ashland edu