Re: Phishing Links

[James Farr '05 <jfarr () UTICA EDU>]

Brian,

Thanks for the encouragement.  I have been tracking successful and
unsuccessful phishing attempts for 2 years now.  Things have gotten better.
We now go several months between incidents.

Justin,
Thanks for the reminder.  If I am trying to set a standard at my school that
BIG BANK CORP and BIG BOX STORE do not follow the meaning behind my message
may have no meaning.



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Wednesday, July 07, 2010 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing Links

 Don't be discouraged! Awareness is very challenging, but it can be
effective as an ongoing effort without any silver bullets. 

 The University of Wisconsin recently created some very clever ads that we
think do a good job of directly addressing phishing. We are pretty excited
about them, and plan on distributing a version of them in the coming weeks:
   http://www.cio.wisc.edu/security/awareness/09campaign.aspx

 Every little effort helps! :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security Office
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pete Hickey
> Sent: Wednesday, July 07, 2010 11:18 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Phishing Links
>
> I gave up.  You can't fight it.  The worst here was a time we...
> because of a possible 'incident'... we wanted everyone to change a
password
> (legacy... we can't force change passwords on that
> system)  The PR people actually wanted to send out an email saying due to
> xxxxx we are requiring everyone to change passwords.  Click here to change
> yours.
>
> Yeah!
>
> When the 'make it easy for the user at all costs' mindset is around, it's
a
> tough fight.  (I did win that one by putting their message alongside a
phishing
> one).  More abstract than that just would not work.
>
>
> On Wed, Jul 07, 2010 at 02:05:41PM -0400, James Farr '05 wrote:
> > It is hard to educate some users on the difference between legitimate
> > and phony web links in email, and it is easy enough to fake a website.
> > For that reason I would like to propose that no official college
> > communication is sent with an active link in it.
> >
> > Problems,
> >
> > Some clients while trying to be helpful make links clickable that I do
> > not want clickable.
> >
> > Links can be inserted as a picture, but not all clients show pictures
> > by default.
> >
> > We can give directions to a website, in order to check your mail go to
> > our homepage, click on login and select webmail, but some users
> > cannot/will not follow those instructions.
> >
> >
> >
> > Would this solution cause more harm than good?
> >
> >
> >
> > What are your thoughts/rules?
> >
> >
> >
> > IITS will never ask you for your password.  Never email your password
> > to anyone.
> >
> >
> >
> > James Farr
> >
> > Information Security Officer
> >
> > Instructional Technologist
> >
> > Utica College
> >
> >  <mailto:jfarr () utica edu> jfarr () utica edu
> >
> > 315-223-2386
>
> --
> Pete Hickey
> The University of Ottawa            "Everyone knows someone
> Ottawa, Ontario                      who knows someone else"
> Canada