Re: Phishing your users

[Andrew Lawlor <andrew.lawlor () BUCKS EDU>]

I am not responding specifically about phishing our own users; we have not done that here at Bucks County Community 
College. I did want to share, however, that we have had good success with a required online training package that is 
now required as a part of the orientation of new employees (both faculty and staff). We use the same training package 
for those individuals who have fallen for a phishing attack. The divisional VPs and deans have been supportive and if 
the individuals slated for training do not complete it, their supervisors pursue it on our behalf. We are using 
Inspired eLearning’s Basic Security Awareness course.

It has taken a few years of persistence by our IT security officer to get us to this point, but with the substantial 
reduction in those who respond to phishing attacks, I am satisfied that we have a working program in place.

Regards,

Andrew

Andrew Lawlor, Ph.D.
Vice President, Information Technology Services & CIO
Pemberton Hall
275 Swamp Road
Newtown, PA 18940
215-968-8408
andrew.lawlor () bucks edu<mailto:andrew.lawlor () bucks edu>

[cid:image001.jpg@01D04B65.BD050FB0]<http://www.bucks.edu/fifty>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sol 
Bermann
Sent: Wednesday, February 18, 2015 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing your users

We have refrained from phishing our own users due to trust issues down the road.  That said, we are potentially 
considering it for certain pockets of users.

We provide examples of real phishes here - 
http://www.safecomputing.umich.edu/main/phishing_alerts/spear-phish-examples.php

Sol Bermann
Interim University of Michigan Chief Information Security Officer
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist
ITS - Information & Infrastructure Assurance
University of Michigan

734/615-9661
solb () umich edu<mailto:solb () umich edu>



On Wed, Feb 18, 2015 at 10:06 AM, Hillhouse, Bob (Bob) <bob () utk edu<mailto:bob () utk edu>> wrote:
We are interested in this as well. I’ve considered a “Phish-Bowl” website where I post real examples of phishing emails 
that we’ve received as well as images of some of the standard bank or delivery service emails. It is one of the most 
prevalent forms of unintentional insider misuse we see.

Bob

—
Bob Hillhouse, CISSP
Associate CIO & Chief Information Security Officer
The University of Tennessee, Knoxville
bob () utk edu<mailto:bob () utk edu>
865-406-8981<tel:865-406-8981> (cell)
865-974-8445<tel:865-974-8445> (office)

Keep your NetID information secure. Don't reply to any email that asks for your personal information. Report any 
suspicious requests to the OIT HelpDesk at (865) 974-9900<tel:%28865%29%20974-9900>.

From: <Fowler>, Becky Thurmond
Reply-To: The EDUCAUSE Security Constituent Group Listserv
Date: Wednesday, February 18, 2015 at 9:58 AM
To: The EDUCAUSE Security Constituent Group Listserv
Subject: [SECURITY] Phishing your users

We’ve tossed around the idea of phishing our users (as an awareness/education activity) for the past few years.  I’m 
ready to make another push to upper management to move forward with this project but I was wondering if anyone had any 
war stories (good or bad) to share before I make my pitch.

Thanks!

Becky Thurmond Fowler
Manager, Security Assessments & Incident Response
Division of IT – Information Security & Access Management
University of Missouri-Columbia
becky () missouri edu<mailto:becky () missouri edu>
573.882.5182<tel:573.882.5182>