Phished passwords an expensive catch
When someone responds to a phishing e-mail and gives up a password, it costs the laboratory a lot of time and money.
A multitude of people at the laboratory become involved in addressing the problem, including the incident response team, security team, Service Desk employees, the system manager and the user who gave up the password.
It costs the laboratory an estimated $2,000 each time a password gets revealed to phishers. That cost does not account for the embarrassment of having the account used to spam other organizations. It also is really inconvenient for the user, and the user may lose some personal information from the e-mail messages. So why do people keep replying to phishing e-mails that ask for their passwords?
People trust authority and phishing e-mails are crafted to sound like they come from someone in authority: webmasters, the e-mail team, the Service Desk or the security team. It’s easy to make e-mail look authentic, unlike brick-and-mortar type traditional institutions that we’ve come to trust, such as banks and ATMs. No one would go to the expense of building a façade that looked like a real bank so they could get you to deposit your money, but it’s easy to make e-mail look like it comes from someone you trust. But it doesn’t matter whether e-mail looks authentic, or whether it actually comes from someone you trust, don’t ever give up your password.
The lesson is to NEVER reveal any of your passwords to anyone. If you inadvertently do give up your password, notify the Service Desk immediately and tell them what happened so they can help you reset your password and notify computer security.
-- Mark Leininger, computer security manager