Re: Phishing Paranoia

[Dave Broucek <dbroucek () HARPERCOLLEGE EDU>]

We are very similar in wanting people to report the phishing emails and provide feedback on the legitimacy or lack of 
legitimacy of the phishing email reported.  It also is a conversation on what made them think it was legit and how to 
further detect emails that appear to be phishing and are not.    The conversations help to really give context on how 
to detect suspicious emails more effectively, and what to focus in on to help with detection.

We also add to the conversation, and generally encourage, employees to use the Report as Phishing button that is 
integrated into our email.


Regards,
Dave Broucek



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jason Edelstein
Sent: Friday, December 4, 2020 9:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing Paranoia

External Email.

We've gotten this, too - even to the point of people using our Proofpoint "report a phish" button to report their own 
junkmail summaries or official content from bulkmailing services used. My personal favorite are the reports of our 
president's periodic but entirely plaintext emails.

What we do is twofold:

1. We absorb the reports and do not tell people, "Don't report this!" Instead, we try to take some time and say, 
"Thanks for this report, but this one is legit. Why did you report it?" and then have an additional learning moment. 
This reduces the ratio of overzealous folks.

2. Routinely tell distributed IT and divisional folks to proactively educate their users on what is legit, forming a 
second layer of shielding. If a department's admin team or power users are aware of the official channels, it can help 
spread awareness outside the routine training campaign.

We still have one department chair who forwards emails to us (he won't use the reporting button, it is a source of awe 
to me) and almost all of them are legitimate. We eventually wrote an automatic reply template to echo #1 as an email so 
it's click, paste, next ticket.

-je-

On 12/4/20 9:09 AM, Dana Kilcrease wrote:

We run regular security awareness training focused largely on simulated phishing campaigns.  Overall, the response has 
been great, and awareness has gone up over the years.  However, we have a growing number of users who continue to over 
report "suspicious" emails, to the point that any corporate communications are typically followed by dozens of phone 
calls to our Helpdesk reporting these communications as suspicious, even if they do not contain any of the red flags we 
teach through our training.



Has anyone faced this with their training campaigns?  Any insight as to how to strike the best balance to ensure users 
are reading emails critically, rather than blindly reporting anything that is remotely outside of their day-to-day?



Dana Kilcrease

Director, Information Security

Berkeley College



**********

Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdbroucek%40HARPERCOLLEGE.EDU%7Ce4629ed4ee784c523db008d8986ceb01%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C1%7C637426940866101026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RgphgJxCkk6BnJLiiptICsbYOZFcD88lKVwXpUv3awI%3D&reserved=0>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cdbroucek%40HARPERCOLLEGE.EDU%7Ce4629ed4ee784c523db008d8986ceb01%7C41791c41ffcb45e49c1d11a6b502a6d7%7C0%7C1%7C637426940866101026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RgphgJxCkk6BnJLiiptICsbYOZFcD88lKVwXpUv3awI%3D&reserved=0>
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community