Educause Security Discussion
mailing list archives
Re: Mitigating Phishing Attacks
From: "Tonkin, Derek K" <Derek_Tonkin () BAYLOR EDU>
Date: Tue, 4 Dec 2012 18:31:35 +0000
My initial thought is that it may be more dangerous to teach users that copying and pasting URLs into their browser is
safe than to continue to send links. We have a ban on links in emails regarding user accounts. It is a pain and I
doubt the degree to which users grasp the concept of us not sending them links when EVERYONE else does. I think
awareness training including an address to send suspicious emails to plus being quick to block both the URL and the
sender of phishing messages you do discover is the most effective method.
Information Security Analyst
ITS - Security
"Conlee, Keith" <conlee () COD EDU> wrote:
Sorry for the delay, but I am playing catch up. We also have experienced an increase of phishing attacks and a couple
users have taken the hook causing us to get blacklisted, etc. and the clean-up that follows.
This last phishing attack the sender masqueraded as the "System Administrator" by either spoofing the sender's address,
or sending from a previously compromised email account and signing as "System Administrator." It was the old phishing
scam warning the user " Your mailbox has exceeded the storage limit." As the IT department we have told our users that
we (IT) will never send them an unsolicited email asking them for any sensitive input (e.g. ID and password, etc.). We
(IT) are thinking of making a new policy decision that we will not send out any "active" links in email that will take
the user to a webpage and ask for their sensitive data (e.g., ID and password). Instead we will provide a description
of the webpage they need to go to (e.g. Employee Portal) and provide an "inactive" text link and instruct them to cut
and paste (or type) the text into the address bar of their browser (for convenience). It is MOST convenient to just
provide the link, but since links can be spoofed and take you elsewhere, an inactive text link that can either be
cut-and-pasted or typed into a browser location bar provides some convenience and we think is safer. The only way we
can go wrong is if our College website gets hacked. ANY THOUGHTS - Good or Bad?
Thanks for any responses.
Keith Conlee, JD, CISSP, CISA, CBCP
Chief Security Officer, IT
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599
Ph. - 630.942.3055
Fax. - 630.790.0325
- Re: Mitigating Phishing Attacks, (continued)