Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Mitigating Phishing Attacks
From: Oscar Knight <knightod () APPSTATE EDU>
Date: Tue, 4 Dec 2012 15:11:12 -0500

Hello All,

I initially was a fan of the 'no links' course of action.  Thou I never
really pushed the idea I did suggest it to our IT group.  I got strange
looks and was called names that I can't mention here.   And in the end
I more or less agree.  But is there another viable way to point our
users in the right direction?

I just entered "password" on a dozen edu sites.  They all gave me
results that would be appropriate if I were a user and in search of
info regarding my password and or account.

Is it too much to ask the user to enter a search string on the
institutions home page?   For those that manage their own search
appliance you can even create your on search string/results.

Example: For more information on changing your password please search
"password" on the Baylor/COD/Appstate website.

Do I still deserve to be called those names? :)  Is anyone doing this
as a regular practice?

I firmly believe that every time an institution sends a mass
communication and users click the link and it all works then trust is
built in that communication method.  Do this a lot and you get a lot of


On 12/4/2012 1:31 PM, Tonkin, Derek K wrote:
My initial thought is that it may be more dangerous to teach users that copying and pasting URLs into their browser is 
safe than to continue to send links.  We have a ban on links in emails regarding user accounts.  It is a pain and I 
doubt the degree to which users grasp the concept of us not sending them links when EVERYONE else does.  I think 
awareness training including an address to send suspicious emails to plus being quick to block both the URL and the 
sender of phishing messages you do discover is the most effective method.

Derek Tonkin
Information Security Analyst
Baylor University
ITS - Security

"Conlee, Keith"<conlee () COD EDU>  wrote:

Sorry for the delay, but I am playing catch up.  We also have experienced an increase of phishing attacks and a couple 
users have taken the hook causing us to get blacklisted, etc. and the clean-up that follows.

This last phishing attack the sender masqueraded as the "System Administrator" by either spoofing the sender's address, or sending from a previously 
compromised email account and signing as "System Administrator."  It was the old phishing scam warning the user " Your mailbox has exceeded the storage 
limit."  As the IT department we have told our users that we (IT) will never send them an unsolicited email asking them for any sensitive input (e.g. ID and password, 
etc.).  We (IT) are thinking of making a new  policy decision that we will not send out any "active" links in email that will take the user to a webpage and ask for 
their sensitive data (e.g., ID and password).  Instead we will provide a description of the webpage they need to go to (e.g. Employee Portal) and provide an 
"inactive" text link and instruct them to cut and paste (or type) the text into the address bar of their browser (for convenience).  It is MOST convenient to just 
provide the link, but since links !
can be s
poofed and take you elsewhere, an inactive text link that can either be cut-and-pasted or typed into a browser location 
bar provides some convenience and we think is safer.  The only way we can go wrong is if our College website gets 
hacked.  ANY THOUGHTS - Good or Bad?

Thanks for any responses.

Keith Conlee, JD, CISSP, CISA, CBCP
Chief Security Officer, IT
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599

Ph. - 630.942.3055
Fax. - 630.790.0325

NOTE: ASU ITS will NEVER ask you for your password in an email!
Oscar D. Knight                           knightod at appstate dot edu
ITS                                                Voice: 828-262-6946
Appalachian State University, Boone, NC 28608        FAX: 828-262-2236

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]