Main Nav

Hello All,


I am looking to develop an new strategic plan around reducing the number and impact of phishing attacks.  I am looking for ideas and suggestions as to what has worked well in the college/university environment.  Are there any education strategies that have worked well for you? What technical controls have you found successful?  Do you have a strategic plan that you don’t mind sharing?  What is your strategy when a phishing attack makes it through your technical controls?  Do you use products like PhishMe and what do you think of that approach?


I know this is a problem that most, if not all, of us face.  Anything that you can share that has been successful at your institution would be greatly appreciated.



Ken Ihrer

Chief Technology Officer

Department of Information Technology

524 West 59th Street, Suite L2.63.20

New York City, NY  10019

Tel. 212.237.8789

Fax. 212.237.8015



We ask that all technology services, issues and inquiries be initiated through the DoIT Helpdesk. Visit our self-service page at, email at, or call us at 212.237.8200



********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at

image001.png9.65 KB


Good afternoon,


We use Cisco IronPort ( It seems to be working really well for us. Weekly we receive about 1mil threat messages and our system is able to stop those. An occasional message creeps through (procedure below), but we found in a recent incident that the IronPort system was able to recognize it and start to auto-quarantine the messages. I receive a weekly automated report summary showing what messages were stopped by reputation filtering, what messages were stopped as invalid recipients, spam detected, virus detected, stopped by content filter and then CLEAN messages.


Example – week of 9/13-9-19 – 1,073,871 threat (split up in percentages by message category) and 142,050 clean messages. Also shows a daily breakdown, top originating domains for threat and clean. (FYI I’m copied on this report bc it fascinates me so I requested to be copied on it.)


This week a phishing attempt got through at 11:02am on 9/25. Looking through the IronPort file, shortly thereafter the system itself began quarantining the bulk of the messages.


Our procedure for phishing:



Procedure for Responding to Phishing Attacks

1.      The ITS resource that has been made aware of the phishing attempt should open a ticket in the name of the customer who contacted ITS.  The ticket must contain:

a.       The full header of the original email.

b.      The message text of the original email.

2.      The ticket is assigned to the Network Group.

3.      The Network Group reviews the header of the original email and the message text.

4.      If the Network Group confirms that this is a phishing attempt, the Network Group blocks incoming and outgoing email to the address listed in the header of the original email on the IronPort and on Gmail.

5.      The Network Group resolves the original ticket.

6.      The Network Group reviews the IronPort message tracking function to find all users who responded to the phishing attempt prior to the address being blocked.

a.       For each user who responded to the phishing attempt, the Network Group will open a ticket in the user’s name with the brief description: “Account disabled due to response to phishing attempt”

b.      The Network Group will disable all accounts through the IDM interface and document this action in the ticket.

c.       The Network Group will reset all passwords through the IDM interface and document this action in the ticket.

d.      The Network Group will assign the ticket to the Help Desk.

e.       The Help Desk will attempt to contact the user during business hours.

f.       Once the user has been contacted, the Help Desk will provide education to the user regarding phishing attacks.

g.       The Help Desk will follow standard procedure to reset the user’s password.

h.      The Help Desk will open a sub-task and assign to the Network Group to enable the user’s accounts.

                                                              i.      During business hours, the Help Desk should contact the Network Group POC by phone to request that the sub-task be addressed promptly.

i.        The Help Desk will advise the user to change any personal, non-work related accounts that use their older password.

7.      The Network Group reviews the IronPort quarantine to find all users who responded to the phishing attempt after the address was blocked.

a.       The Network Group will compile a list of all such users and forward this list to the Director of Client Services (Help Desk) and the Chief Information Office. 

b.      The Director of Client Services (Help Desk) will determine what education may be required of these users.


Hope this is helpful. Happy to answer any additional questions. We are just now starting to try to educate our community about how we manage phishing attacks and just how many we get daily/weekly. This is a calculated communication as the campus hasn’t focused too much on security in the past so we’re evaluating, implementing and communicating heavily.




Paige Francis, CIO

Fairfield University


Follow me: Twitter | Linked In

Fairfield University Technology News:


CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged info rmation and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.



Thank you Paige.  When I was at Temple University I brought in IronPort and the product did work very well.  At John Jay we are using Proofpoint and it works fairly well, too. 


Currently, I am working on a University-wide task force to address this for our 22 schools.  There are various technologies in place through the colleges and each does a fairly good job at stopping mass phishing attacks.  Spear phishing is a little more tricky but regardless of technology we are going to have some slip through.  That is where I hope to strengthen our strategy the most.  As the attacks become more and more sophisticated, how can we be more proactive in stopping the phisher’s ultimate goal of obtaining NPI from the unsuspecting user.  Your process seems to work effectively in stopping the problem fairly quickly and follows up with personal education – I like that.  It seems to me if I could just get it through to our users that “we” will never ask for their credentials that would go a long way but just when I think that is the answer I see how readily some users are to give up credentials to the first tech that comes to work on a problem.


Thanks for your response.  I look forward to hearing what everyone is doing.




Ken Ihrer