Educause Security Discussion mailing list archives
Re: Tips for using third party survey providers
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Thu, 15 Mar 2018 13:31:07 +0000
Don't forget to engage with your procurement department on this issue if you have 3rd parties (wellness programs, insurance providers, United Way campaigns, etc.) who plan to send e-mails to your users telling them to click on a link to view something at the 3rd party's website. Your procurement department may be able to negotiate into the contracts of these 3rd parties the process you want them to follow with respect to e-mail notifications of things the provider wants your users to visit a website to view. Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laura Raderman Sent: Thursday, March 15, 2018 8:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Tips for using third party survey providers We *always* include a URL (not specifically linked where we can prevent it) to a trusted cmu.edu site (which site depends on which department is sending the message) that includes an exact copy of the message, or as close as we can get (for messages that have recipient specific information) Example: ***To verify the authenticity of this message, visit https://www.cmu.edu/iso/news/ncsam-massmail.html *** Note: Your mail reader may have converted the authenticity URL above to be a clickable link. Depending on your device/mail reader, you can check the actual destination of a clickable link by hovering your mouse over the link, "right-clicking" on the link, or tap and holding the link. ——————— If we were sending from a 3rd party, the message would include a description of what the mail was, who sent it, why, etc. We also encourage folks using such services to send to themselves first to make sure the message doesn’t sound/look too spammy. We had one department (a large one on campus that many students, staff, and faculty interact with) send out a mail advertising “Win a free month of X” and we got *many* many spam reports about it (it was legitimate). Laura Raderman ISO Policy & Compliance Coordinator Carnegie Mellon University lraderman () cmu edu
On Mar 15, 2018, at 7:47 AM, Scott Stoops <sstoops () ASHLAND EDU> wrote: We recently sent out an email to our students that contained links to a survey we wanted them to complete. The email had several pieces of information, such as actual contact information, to validate that this was a legitimate email. With an increased awareness on phishing, some of our students questioned the email and reported it as a possible phishing attempt. Like everyone, we are walking a sometimes fine line between encouraging people to not click on links from unexpected emails and still getting them to interact when an email is legitimate. What are folks doing either within the email communications themselves or in addition to the emails to indicate that these kinds of things are legitimate? One suggestion we had was to include our logo in the email but not all vendors will allow this. -- Scott Stoops Security Analyst II Office of Information Technology | 100 Patterson Technology Center Ashland, OH 44805 (w) 419-289-5405 sstoops () ashland edu
Current thread:
- Tips for using third party survey providers Scott Stoops (Mar 15)
- Re: Tips for using third party survey providers Laura Raderman (Mar 15)
- Re: Tips for using third party survey providers Ruth Ginzberg (Mar 15)
- Re: Tips for using third party survey providers Ken Connelly (Mar 15)
- Re: Tips for using third party survey providers Laura Raderman (Mar 15)