Social hacks and Fire Drills: I told you so edition

Last year, I suggested that it would be an awfully good idea for the University, and other folks, to run phishing drills. Send out an email to staff typical of a social hack phishing expedition looking for user name and password details, see who replies, commence the beatings, then repeat until nobody needs beatings anymore.

Shame nobody listens. In today's inbox:

Dear All,

Last night an external agency used a staff member’s username and password to set up a large spam broadcast using our Exchange email servers which has resulted in a backlog of messages on our email gateway.

The spamming process has now been disabled but it will take some time before our queues return to a normal state (by 3.00pm). Meanwhile, you may experience delays in delivery and receipt of external emails; this includes messages sent to and from UC student accounts. Moreover, it is possible that some of our emails will be rejected as our email exchange has been blacklisted.

Please note that this incident occurred because a staff member responded to an email asking for their username and password. The email looked as though it came from an official or trustworthy source such as ICT Services. Be assured that ICT Services would never request a username and password by email; nor do any other trustworthy source such as banks.

Although no emails have been lost; I would wish to apologise for any inconvenience that this spam attack has caused.

We run fire drills every semester. Why oh why aren't we running phishing drills?