It is not unusual for a university of this size to be the target of a phishing attack. In fact, many educational institutions are targeted because their email address are publicly available. Criminals can easily harvest thousands of email addresses and send malicious messages to them in the hopes that a few hundred fall for their scam and as a result capture some login credentials, create a backdoor into the university’s network or even gain a few more zombie computers for their botnet.
Like I said, it is not the fact that the University of South Florida’s users were receiving these emails that made an impression on me, it is how the school handled it.
To begin with, they informed people that although they have anti-spam filtering in place, some mails that are well crafted by the criminals will make it through these controls.
They then went on to explain that extra care should be taken when:
- Emails ask for a password
- Emails contain a link that will allow the recipient to update or verify account information
- Emails that inform the user that their email account is being suspended, revoked or deleted
- Emails that threaten the recipient that an account will be removed or suspended
The reason is, USF Information Technology will simply not ask for this information – ever. They are clear about this policy and spell it out to their users.
Is Your Organization Clear?
The University of South Florida has over 45,000 students and over 16,000 faculty and staff members. That is a large group of people that can fall for a malicious email. However they have taken steps to warn their users of potential threats and how to identify email messages that could be harmful.
Now take a few minutes to think about how your organization deals with email threats. Do you have the best possible technical controls in place? Do you have the right people managing email security? Have you taught your users how to identify potentially harmful emails? But most importantly, have you clearly defined your organization’s policies regarding what you will and will not ask for in an email message?
All too often, we assume that our users will know that we won’t ask for things like passwords or user names via email. After all, we would never give that information up right? So why would they? However this assumption is often what gets us, our organization that is, into trouble.
If people aren’t told what will and won’t be asked of them in an email then they are choice victims to attackers. These are the people who will panic when they see an email that threatens to suspend their service or requires them to hand over their login credentials. This panicked employee is the most dangerous kind you can have when it comes to email security because they are usually so afraid to lose access or get into more trouble that they will do what ever the attacker’s email tells them to do.
As an email administrator it is our job to protect our mail systems from attack. To do this effectively, we need to work with the rest of our organization to make sure that everyone understands that things like account information, passwords and other confidential information will not be requested via email. They also need to be confident that if they receive a warning that they may lose access or services to something they need to do their jobs that they should pick up the phone and make a call to verify this and not blindly trust warning that come via email.
Having these in place and published won’t solve every ill that comes with having email in the workplace, but they will help defend against those emails that make it past the anti-spam filters and wind up in someone’s inbox.
I would be interested in seeing how many of our readers’ organizations have policies such as these and how many of them feel confident that their co-workers are aware of them.