Educause Security Discussion mailing list archives

Re: Differentiating Between Real and Phishing Emails to Staff and Students

From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Tue, 13 May 2008 20:52:10 -0700

Tim,
 
I hope you are doing well.  The last time that I heard from you, I believe that you were developing some policies and 
procedures for IT Security.  :-)
 
I find the following statement interesting:
 
As the frequency of targeted phishing scams increase, I continue to get more queries by staff and students questioning 
if the very emails I send to staff and students are valid or a scam.
 
What types of email are you sending out?  Are you actually requesting something of the student?  A true phishing attack 
would include a link in the email such as "Click here to change your password", or "Respond to this email with your 
password."  
 
An email from IT Security might say "If you feel that the integrity of your password could have been jeopardized, 
please contact IT Security immediately.  Remember that the IT Security department will never make a direct request for 
your password." 
 
Most password reset systems send the new password to the user via email, and then demand an immediate password change 
upon initial login to the system.  However, some password reset systems send the user to a link and the user must login 
via the link to access the system.  I would say that the former is a better system, but if you have the type of system 
that uses a link, a compensating control would be the training that you provide to the user indicating that they should 
always call IT Security immediately if they receive an unsolicited password reset email link.
 
Digital signatures are not usually helpful in the University users' environment, as they are not commonly validated by 
students and staff.
 
With that being said, I agree with Mike.  Your best defense is a good offense, and training your users on possible 
phishing schemes is paramount to any successful information security awareness program.  I also agree that the training 
methods used to train users must vary in order to continue to capture your user community's attention.  Your IT 
Security Department should also be accessible to your user community.  Encourage open communication between IT Security 
and your users by setting up lunch and learns, contests, etc. to build the enthusiasm of the IT Security Department.  
(Building off of one of Mike's suggestions below, IT Security could hold a contest and award a prize for finding the 
latest informational notice released by IT Security on campus.)
 
Hope this helps!
 
Sarah E Stevens, CISSP
President
Stevens Technologies, Inc.
(704) 625-8842 x500
 
"Security solutions for your organization."
 
 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Mike Waller
Sent: Tue 5/13/2008 11:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Differentiating Between Real and Phishing Emails to Staff and Students


We wrestled with this at my last job, which was at a medical research institution. On the one hand, we wanted to 
educate and increase the awareness of the many scams out there, but we didn't want to push our campus audience into 
tuning out. 
 
I think the best thing you can do is to vary your delivery method and focus on those areas that have some novelty -- 
either a new type of scam, a new delivery method or something new in the world of social engineering. If you're doing 
that, you're probably going to see your best results. Too many emails builds up a certain fatigue and will cause your 
emails to wind up as part of that vast hiss of email white noise users ignore. Focus on varying the delivery methods. 
In addition to email, use alerts on various campus websites, mention the scams in meetings/training, use posters, etc. 
There are a lot of ways to get the word out.
 
Mike


On Tue, May 13, 2008 at 1:04 AM, Tim Lane <tlane () scu edu au> wrote:


        Hi All,

         

        I regularly send out emails to staff and students advising on phishing scams, general security alerts, password 
changes etc.  As the frequency of targeted phishing scams increase, I continue to get more queries by staff and 
students questioning if the very emails I send to staff and students are valid or a scam.

         

        I would be interested in knowing how other institutions are providing increasing assurance to staff and 
students that emails from their IT or Security section are valid.

         

        Examples might include disclaimers, digital signatures or encryption etc, but if this is an area you have 
looked at and addressed could you please advise.

         

        Thanks,

         

        Tim

         

         

         

        Tim Lane

        Information Security Manager

        IT&TS

        Southern Cross University 

        Ph (02) 6620 3530

        Mobile 0418 248 571

Current thread:

Differentiating Between Real and Phishing Emails to Staff and Students Tim Lane (May 12)
- <Possible follow-ups>
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Joel Rosenblatt (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students David Kovarik (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Kubb, Rick (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Bob Bayn (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Mike Waller (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Sarah Stevens (May 13)
- Re: Differentiating Between Real and Phishing Emails to Staff and Students Ozzie Paez (May 14)