Educause Security Discussion mailing list archives
Re: Phishing E-mail Procedures
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 26 Jan 2012 10:31:17 -0600
It depends entirely on what you plan to do with the phishing emails once users have submitted them to you. For example:
1) Forward them to your anti-spam vendor so that they can improve their detection. Your vendor probably already has an automated process for this, so there's little need for your security group to be a middleman (costly and adds a delay). So, you should automate this if you can.
2) If the phish is the type that asks users to reply via email with their credentials, then you can take action by scanning outbound email logs to see if users are replying to the scams. Better yet, add the reply address to the APER list (https://code.google.com/p/anti-phishing-email-reply/) and use the full APER list for outbound mail log scanning.
3) If the phish is a link to a web form, then you can try to get the form shut down, etc.
4) You can monitor trends. Is your anti-spam vendor not catching enough? Get on the phone and complain loudly. Are your users not realizing the messages are scams? Improve your mitigation process by modifying the subject/body of the scams, for example. Are your users too gullible? Start educating them. Etc.
Also, keep in mind that users don't know to distinguish from phishing targeted at your edu resources, vs personal resources (such as banks). So you'll be wading through a bunch of submissions that are out of your purview.
Jesse (Wisconsin-Madison) On 1/26/12 10:03 AM, Robert Meyers wrote:
I have been tasked with writing guidelines and procedures for an official process on how to handle inbound phishing and/or otherwise malicious e-mail. The bottom line is we will be asking our user to forward all such e-mail to a central account where we will check it for any further action. Does anyone in the group have a similar process they could share? I'm in favor of continuing to tell users to delete the e-mails and go on about their business, but the task is on my desk. Thanks Bob Robert E. Meyers, Ms.Ed. Educational Program Manager Office of Information Security West Virginia University office: (304) 293-8502 remeyers () mail wvu edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Phishing E-mail Procedures Robert Meyers (Jan 26)
- Re: Phishing E-mail Procedures Colleen Keller (Jan 26)
- Re: Phishing E-mail Procedures Pete Hickey (Jan 26)
- Re: Phishing E-mail Procedures Bob Bayn (Jan 26)
- Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
- Re: Phishing E-mail Procedures Robert Meyers (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Jesse Thompson (Jan 26)
- Re: Phishing E-mail Procedures Doty, Timothy T. (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Tim Doty (Jan 26)
- Re: Phishing E-mail Procedures Valdis Kletnieks (Jan 26)
- Re: Phishing E-mail Procedures Tim Doty (Jan 26)
- Re: Phishing E-mail Procedures Roger A Safian (Jan 26)