Kevin: While I agree that there's room for improvement, at least in this case we were all given an official (and verifiable) advance heads-up that this message was coming and that it is legit--see https://calmessages.berkeley.edu/archives/message/37765, sent last Wednesday.
That's not perfect, but it is a bunch better than what's been done in the past, and I think that should be recognized. Ian ___ Ian Crew IST-Architecture, Platforms and Integration (API) Earl Warren Hall, Second Floor University of California, Berkeley > On Mar 30, 2015, at 10:56 AM, Kevin Burney <[email protected]> wrote: > > Phishing??? > > If this is legitimate they should not use links contained in the email. A > simple way to mitigate this is to tell people to go a trusted system like BLU > or “UCOP - At your service” (not a link to the location) and use a link > posted there without requiring the recipient to click on a link contained > within the email. > > The following item is listed on the Anti-Phishing posters located throughout > the campus. > “If you didn’t expect it. Reject it! Don’t Click on Unexpected Links” > > Let’s be consistent. > > Security policies are not effective if there are some that should be followed > and others that should not. > > Exceptions are one of the worst things for policies and/or guidelines. Is it > ok to click on a link because it says it is a questionnaire from UC or > someone representing UC? Who is this @towerswatson.com? > > Is this part of the testing program that the campus announced would be going > on to analyze peoples use in clicking on phishing attempts? > > It feels to me that system wide communications should be vetted by a UC > security team member before sending it out to the masses. > > https://security.berkeley.edu/content/phishing-scams-ongoing-threat-campus > https://security.berkeley.edu/content/anti-phishing-faq-and-tips > > > -Kevin Burney > _________________________________ > Kevin D. Burney > Active Directory Systems Engineer > Enterprise Windows Team > University of California, Berkeley > (510) 827-8476 > > > The following is an excerpt from an SNS web page: > How can I identify a phishing scam? > > The first rule to remember: Never give out any personal information in > email. No institution, bank or otherwise, will ever ask for this information > via email. It may not always be easy to tell whether an email or website is > legitimate, but there are many tools to help find out. > > · In the body of an email, you might see questions asking you to > “verify” or “update your account” or “failure to update your records will > result in account suspension.” It is usually safe to assume that no credible > organization to which you have provided your information will ever ask you to > re-enter it, so do not fall for this trap. > · Any email that asks for your personal or sensitive information > should be seriously scoured and not trusted. Even if the email has official > logos or text or even links to a legitimate website, it could easily be > fraudulent. Never give out your personal information. > What can I do to avoid Phishing attacks? > > Click and review these 5 essential Anti-Phishing tips to avoid being > "Phished": > > 1. Passwords in Email = Epic Fail. Never send your passwords in email! > 2. If you didn't expect it, reject it. Don't click unexpected links! > 3. Hover to Discover. Look out for deceptive links! > 4. Check for Trash Before the Slash. Verify "https://auth.berkeley.edu/"; > in your browser bar before entering CalNet credentials! > 5. Is it a Phish? Drop us a line. > > > > > > > From: [email protected] > [mailto:[email protected]] > Sent: Monday, March 30, 2015 10:02 AM > To: [email protected] > Subject: 2015 Staff Engagement Survey > > Dear UC Colleague: > You are invited to participate in the 2015 Staff Engagement Survey. You may > have seen the announcement on UC Net or on your campus news site about a > survey the Council of University of California Staff Assemblies (CUCSA), in > collaboration with Systemwide Employee Relations, is conducting among a > representative sample of UC Staff employees. You have been selected to > participate in this survey. > > The survey asks for your opinions about a range of topics that focus on > employee engagement. Your views are very important and provide direct > feedback that will help shape how we will all work at UC. This is the second > systemwide UC Staff Engagement Survey. The first was conducted in 2012. > Results from that survey were shared with Senior Leadership at UCOP as well > as the Chancellors or senior administrators at each location. > > Results from the 2015 survey compared to the 2012 results will help us > determine areas where progress was made, as well as areas that may need > further effort and focus. We encourage you to take about 15 minutes to > complete this survey while at work. Please submit your response by April 17, > 2015. > > The survey is being conducted by Towers Watson, an independent consulting > firm specializing in employee surveys and research. Towers Watson does not > report individual names or opinions, so your answers will remain strictly > confidential. Your responses, combined with others, will help leadership > understand what’s important to you and what’s working well or needs > improvement. > > How to Participate > To take the survey, please click on the link below: > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > The survey will be open from March 30, 2015 through April 17, 2015. > Please do not forward this email to others. If you have any questions or > experience difficulties accessing the survey, please email Towers Watson at > [email protected]. > > Again, thank you for sharing your views and helping to improve UC. > Sincerely, > > Rob Kerner, Chair of the Council of UC Staff Assemblies (2014-15) > Greta Carl-Halle, Chair-Elect of the Council of UC Staff Assemblies (2014-15) > Marie-Ann Hairston, Director Systemwide Employee Relations Programs > > Notice of Confidentiality > This transmission contains information that may be confidential. It has been > prepared for the sole and exclusive use of the intended recipient and on the > basis agreed with that person. If you are not the intended recipient of the > message (or authorized to receive it for the intended recipient), you should > notify us immediately; you should delete it from your system and may not > disclose its contents to anyone else. > This e-mail has come to you from Towers Watson Delaware Inc. or Towers Watson > Pennsylvania Inc. > > > ------------------------------------------------------------------------- > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and the > list's archives can be browsed and searched on the Internet. This means > these messages can be viewed by (among others) your bosses, prospective > employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > [email protected] list.
------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [email protected] list.
