Internal Email Restrictions and Effect on Cold Emailing

[polly_mer]

I hit a new problem this week: I was scolded for engaging with phishing by turning down a speaker invitation.  The clear message was to never respond to any individual whom I don't personally know.

This was a speaker invitation for a group in the nearest big city as a virtual webinar.  I get such emails a few times a month as a person who does outreach and a woman in a very male-dominated field.  They asked for no information and had no links in the email.  It was simply a request to speak in the near future.  I responded no because I'm overbooked.  There was a follow-up email with much verbiage on what the group does and won't I reconsider?  I responded with a request to be taken off the list.

Today's morning email was from our IT department scolding me for interacting with the phishing email that turned out to be have been spammed to hundreds of people here.  The IT department listed generic ways that one can tell a phish.  None of those generic ways applied to this email; this was just like the emails I frequently receive for smaller groups who have encountered some of my interesting-to-the-general-public outreach.

Several posts I've read lately in various social media bemoan professors, administrators, and other professionals not responding to email requests and asserting the reason is the recipients being too arrogant to engage.  Why doesn't someone respond to your email as a prospective student, collaborator, or organizer?  Well, I won't be responding any more because it's not worth the aggravation of dealing with the internal phishing police.  I will just quietly delete everything.  Sorry.

[Ruralguy]

Or, you can simply reply from a gmail account.

[polly_mer]

Or, you can simply reply from a gmail account.

Using a personal account for professional correspondence is also breaking a rule with consequences up to being fired, especially if doing so is to circumvent an internal rule.

[Ruralguy]

Well, I give up. No use in fighting stupid rules implemented by people who can probably fire you or make life difficult fairly easily if they so desired.

[bopper]

If it was so obvious it was phishing why didn't they block it?

[ciao_yall]

How do they know it was a phish? Might have just been a mass email.

[Aster]

That IT department is clearly blameshifting their own performance shortfalls onto others.

[Durchlässigkeitsbeiwert]

Well, I give up. No use in fighting stupid rules implemented by people who can probably fire you or make life difficult fairly easily if they so desired.

An e-mail with a malicious link is a yesteryear problem.
Current issue of concern is the use of "social engineering" to gain foothold in the system.
In this context continued e-mail exchange even through non-work e-mail compromises security.

My industry employer has a very similar set of policies. They also regularly send phishing e-mails to employees to check if they get expected response (I wonder if this was the case here as well).

[polly_mer]

Well, I give up. No use in fighting stupid rules implemented by people who can probably fire you or make life difficult fairly easily if they so desired.

An e-mail with a malicious link is a yesteryear problem.
Current issue of concern is the use of "social engineering" to gain foothold in the system.
In this context continued e-mail exchange even through non-work e-mail compromises security.

My industry employer has a very similar set of policies. They also regularly send phishing e-mails to employees to check if they get expected response (I wonder if this was the case here as well).

We have certainly had tests before and we all get more training when too many people fail the tests.

[Vkw10]

Our IT department does things we've been told to be wary of, because it's likely a phishing attempt. Last week, I received an email informing me that I need to click here to confirm my subscription to the IT blog for faculty. I haven't signed up for said blog, so I reported it as phishing. It wasn't phishing, just an attempt to up the blog's faculty audience.

[Mobius]

I've been scolded for replying to an ambiguous message. The solution is educating people what info to disclose and not if they should reply or not. I'm fine telling someone I'd am interested in a book. I'm not giving out my CC number or password, though.

[jerseyjay]

My employer regularly requires various online training (Title IX, what to do in mass shootings, how to prevent COVID, etc.) which are provided by third-party vendors (which seem to change every year). Every year these third-party vendors send out a generic email which directs us to an email site and asks us for our login credentials. Each year I forward the email to the IT department asking if they are phishing attempts. They are not, but they are written in such a way that actually makes one wonder.

In terms of using personal email. I use my school email for everything directly school related (schedules, talking to students, committee work, etc) but use my gmail account for things that are research related, not so much to circumvent rules, but to make sure that I have all my correspondence in case I switch jobs.

[AvidReader]

My employer two jobs back did something similar to jerseyjay's. I once received an email purportedly from IT with poor spelling and poor grammar urging me to click on a link for mandatory trainings or else I would lose access to all my university accounts. Spoiler alert: it was actually from IT, and I was reamed out for forwarding it to the fraud alert people, and--sort of like polly_mer--sent a list of ways I could distinguish this email from "real" phishing attempts, which would have poor spelling, poor grammar, and dubious external links with overhyped warnings. Sigh.

AR.

[Ruralguy]

Thankfully, my institution doesn't really care too deeply about this issue. I mean they certainly try to block such things and send out warnings regarding phishing attempts. But I highly doubt anyone here  is purposely trying to pseudo-phish their own colleagues just to prove--what exactly?

I guess sometimes it helps to be at a podunk dinky school with almost no red tape and certainly no teams of IT people with so little to do that they purposely invent ways to put their own colleagues heads on spikes. Yay them.  Of course, said podunk school would have to survive for 10-15 more years for me to really say it was totally worth it.

[Puget]

Our IT department was actually forced to apologize because someone thought it was a good idea last spring to run a phishing "test" with a very realistic email telling us to fill out a google form (we're a google campus and google forms are used for official purposes all the time) related to the COVID response-- the form link then took us to a scolding message about detecting phishing, almost none of which things were present in the test email. People were not amused.