[marios]

This.

The only effective solution is to educate users, but that in itself is a difficult task.

Phishing attacks rely on users being gullible / distracted / ignorant. Telling users _not_ to be any of these usually results in angry answers such as "Are you implying I am stupid !?", and the important part of the dialogue where you explain things to be wary of is completely ignored.

Another way to communicate these things it to _phish your own users_. Email them a fishy message ultimately asking them their password for instance, the same way an attacker would. Of course, some phishing emails / sites look incredibly legit but in my experience most have noticeable deficiencies. If your users can spot at least those, then they can protect against a good number of attacks. Once the victim falls for the trap, redirect them to a page explaining how they were tricked, and showing what they need to pay attention to.

You even get their passwords, so that you can do some analysis and see how many will change it following the 'incident'.

[blisterpeanuts]

"phish your own users"

Now that's the best idea I've heard all morning. You should be running Oxford's IT dept!

[jacques_chester]

I disagree.

At best the users who don't care will continue not to care. At worst it will train users to think "oh, it's another drill, ho hum".

Somewhere in the middle is some deeply embarrassed Deputy Vice Chancellor who decides to make those horrid computer people his personal enemies.

[raldi]

> At worst it will train users to think "oh, it's another drill, ho hum".

How is that a bad outcome? Whether they think it's phishing or a drill, the important thing is that they don't enter their credentials.

[marios]

It's bad if users are trained to only recognize _your_ phishing attempts :-)

I'm not sure I understand which users jacques_chester is talking about. There are users that can recognize phishing, and they are entitled not to care about your teaching. And then there are those that can't recognize phishing - or perhaps don't even know about it - but I'm pretty sure any user would start caring when they find out someone else can gain access to their email/bank/facebook/whatever online service they use if they aren't careful.

To avoid training users into thinking it's another drill, perhaps it's a good idea to 'attack' them at random intervals, and wait a few months before repeating (thus giving you enough time to prepare the new attack; giving the users enough time to forget about the threat, and to account for new arrivals).

I'd rather be embarrassed by the local BOFH, rather than be a real victim

[iopq]

Just block the users you phish successfully and tell them their account has been hacked. Then they'll care.