Educause Security Discussion mailing list archives
Re: Differentiating Between Real and Phishing Emails to Staff and Students
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 13 May 2008 20:52:10 -0700
Tim, I hope you are doing well. The last time that I heard from you, I believe that you were developing some policies and procedures for IT Security. :-) I find the following statement interesting: As the frequency of targeted phishing scams increase, I continue to get more queries by staff and students questioning if the very emails I send to staff and students are valid or a scam. What types of email are you sending out? Are you actually requesting something of the student? A true phishing attack would include a link in the email such as "Click here to change your password", or "Respond to this email with your password." An email from IT Security might say "If you feel that the integrity of your password could have been jeopardized, please contact IT Security immediately. Remember that the IT Security department will never make a direct request for your password." Most password reset systems send the new password to the user via email, and then demand an immediate password change upon initial login to the system. However, some password reset systems send the user to a link and the user must login via the link to access the system. I would say that the former is a better system, but if you have the type of system that uses a link, a compensating control would be the training that you provide to the user indicating that they should always call IT Security immediately if they receive an unsolicited password reset email link. Digital signatures are not usually helpful in the University users' environment, as they are not commonly validated by students and staff. With that being said, I agree with Mike. Your best defense is a good offense, and training your users on possible phishing schemes is paramount to any successful information security awareness program. I also agree that the training methods used to train users must vary in order to continue to capture your user community's attention. Your IT Security Department should also be accessible to your user community. Encourage open communication between IT Security and your users by setting up lunch and learns, contests, etc. to build the enthusiasm of the IT Security Department. (Building off of one of Mike's suggestions below, IT Security could hold a contest and award a prize for finding the latest informational notice released by IT Security on campus.) Hope this helps! Sarah E Stevens, CISSP President Stevens Technologies, Inc. (704) 625-8842 x500 "Security solutions for your organization." ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Mike Waller Sent: Tue 5/13/2008 11:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Differentiating Between Real and Phishing Emails to Staff and Students We wrestled with this at my last job, which was at a medical research institution. On the one hand, we wanted to educate and increase the awareness of the many scams out there, but we didn't want to push our campus audience into tuning out. I think the best thing you can do is to vary your delivery method and focus on those areas that have some novelty -- either a new type of scam, a new delivery method or something new in the world of social engineering. If you're doing that, you're probably going to see your best results. Too many emails builds up a certain fatigue and will cause your emails to wind up as part of that vast hiss of email white noise users ignore. Focus on varying the delivery methods. In addition to email, use alerts on various campus websites, mention the scams in meetings/training, use posters, etc. There are a lot of ways to get the word out. Mike On Tue, May 13, 2008 at 1:04 AM, Tim Lane <tlane () scu edu au> wrote: Hi All, I regularly send out emails to staff and students advising on phishing scams, general security alerts, password changes etc. As the frequency of targeted phishing scams increase, I continue to get more queries by staff and students questioning if the very emails I send to staff and students are valid or a scam. I would be interested in knowing how other institutions are providing increasing assurance to staff and students that emails from their IT or Security section are valid. Examples might include disclaimers, digital signatures or encryption etc, but if this is an area you have looked at and addressed could you please advise. Thanks, Tim Tim Lane Information Security Manager IT&TS Southern Cross University Ph (02) 6620 3530 Mobile 0418 248 571
Current thread:
- Differentiating Between Real and Phishing Emails to Staff and Students Tim Lane (May 12)
- <Possible follow-ups>
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Joel Rosenblatt (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students David Kovarik (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Kubb, Rick (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Bob Bayn (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Mike Waller (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Sarah Stevens (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Ozzie Paez (May 14)