What Will Your Users Do?

Huh?Just recently my alma mater, the University of South Florida, warned students and staff of a phishing email that was being delivered to many inboxes around campus.

It is not unusual for a university of this size to be the target of a phishing attack. In fact, many educational institutions are targeted because their email address are publicly available. Criminals can easily harvest thousands of email addresses and send malicious messages to them in the hopes that a few hundred fall for their scam and as a result capture some login credentials, create a backdoor into the university’s network or even gain a few more zombie computers for their botnet.

Like I said, it is not the fact that the University of South Florida’s users were receiving these emails that made an impression on me, it is how the school handled it.

To begin with, they informed people that although they have anti-spam filtering in place, some mails that are well crafted by the criminals will make it through these controls.

They then went on to explain that extra care should be taken when:

  • Emails ask for a password
  • Emails contain a link that will allow the recipient to update or verify account information
  • Emails that inform the user that their email account is being suspended, revoked or deleted
  • Emails that threaten the recipient that an account will be removed or suspended

The reason is, USF Information Technology will simply not ask for this information – ever. They are clear about this policy and spell it out to their users.

Is Your Organization Clear?

The University of South Florida has over 45,000 students and over 16,000 faculty and staff members. That is a large group of people that can fall for a malicious email. However they have taken steps to warn their users of potential threats and how to identify email messages that could be harmful.

Now take a few minutes to think about how your organization deals with email threats. Do you have the best possible technical controls in place? Do you have the right people managing email security? Have you taught your users how to identify potentially harmful emails? But most importantly, have you clearly defined your organization’s policies regarding what you will and will not ask for in an email message?

All too often, we assume that our users will know that we won’t ask for things like passwords or user names via email. After all, we would never give that information up right? So why would they? However this assumption is often what gets us, our organization that is, into trouble.

If people aren’t told what will and won’t be asked of them in an email then they are choice victims to attackers. These are the people who will panic when they see an email that threatens to suspend their service or requires them to hand over their login credentials. This panicked employee is the most dangerous kind you can have when it comes to email security because they are usually so afraid to lose access or get into more trouble that they will do what ever the attacker’s email tells them to do.

As an email administrator it is our job to protect our mail systems from attack. To do this effectively, we need to work with the rest of our organization to make sure that everyone understands that things like account information, passwords and other confidential information will not be requested via email. They also need to be confident that if they receive a warning that they may lose access or services to something they need to do their jobs that they should pick up the phone and make a call to verify this and not blindly trust warning that come via email.

Having these in place and published won’t solve every ill that comes with having email in the workplace, but they will help defend against those emails that make it past the anti-spam filters and wind up in someone’s inbox.

I would be interested in seeing how many of our readers’ organizations have policies such as these and how many of them feel confident that their co-workers are aware of them.

Written by Jeff Orloff

8 Comments

  1. David Black · June 10, 2013

    It’s good that the university takes a proactive approach. I hope the students, staff, and faculty don’t just throw this email as junk mail. When your users are intelligent, as supposedly academia people are it’s much easier to handle risks – you tell your people, they watch out and follow.

  2. Claire · June 25, 2013

    This reminds me of my first company. It experienced an onslaught of spam, which were sent across all employees, from top to bottom. I like how they handled it as well. They e-mailed as right away, make sure we secure our own accounts by allowing us to change our password,and at the same time invest on better security tools for the IT department.

  3. Arthur · June 27, 2013

    I am currently in a third-world country, working as an IT analyst for a non-profit organization. I’ve come across other IT specialists here as well, but let me tell you, they don’t care about such threats. It could be because they’ve seen the worst. What else is there to fear? But I also sense it’s because the companies they’re working for don’t mind online security either.

  4. Manny · June 29, 2013

    My, you’ve got a great job there, Arthur. I know your position isn’t the most pleasant, but I believe it’s also one of the most fulfilling things. I am not familiar with IT in the third-world industry, but it looks like they have a lot of things to work on. I hope they can catch up because security threats are everywhere, and they can cause great havoc to plenty of industries.

  5. Anastasia · June 30, 2013

    I’ve seen companies hit by spam with their workforce taking the brunt of the problem. These companies learned their lessons, of course, but they also gave up a lot of confidential information. The company I work with has a written policy for email use and security. Since not all of us are well-acquainted with email security threats and similar stuff, our IT department makes it a point to regularly update workers with everything related to such things. We also have annual workforce IT seminars that help educate non-technically savvy employees. It’s not a perfect policy but our leaders are working continuously to assure our (and the company’s) online safety.

  6. Stella · June 30, 2013

    Hi, my name is Stella, and I am a brand-new HR practitioner for a local SEO firm. I am happy that I came across with this type of blog, because it makes me feel surer that there’s a need to create an IT security training for a staff. I am doing my research so I can justify funding from the higher-ups.

  7. Tinette · March 3, 2014

    @Anastasia: You are lucky that your company has found its footing in the case of email security. There are a lot of companies that refuse to do something about this. Their policies do not include even a single provision about email use and security. It is important that companies train and educate their employees regarding email security on a regular basis. Companies like the one you work for make the authorities’ job a little easier. Although we know that spammers are almost always “one step ahead”, it helps to know that some members of the private sector are sincerely doing their job in preventing spammers from attacking and taking what is not theirs.

  8. Janni · October 3, 2014

    Email security is always a risky issue. It becomes even more valuable when the people dealing with email are not really technically educated, especially in the field of security against malicious threats like the ones phishing and scamming does to users. If you work for a company or organization, be sure to suggest an email security program to your boss if you want all your company (and personal) files to be safe. If you work for a small company; no worries. Based on experience and observation, the smaller corporations and organizations are the ones that take issues like email security seriously. Education and awareness should always be a part of your company’s IT security program.

Leave A Reply