ITS Phishing Communication Plan [INTERNAL]

Summary

When a phishing attack occurs at UW-Platteville, the following communication plan will be implemented. Includes instructions for ITS Communications and the ITS Help Desk manager/staff.

Body

When a phishing attack occurs at UW-Platteville, the following communication plan will be implemented. Plan includes instructions for ITS Communications and the ITS Help Desk manager/staff.

Phase 1 – incident occurs

  • # of reports received = at least 10 (or at discretion of Help Desk Manager)
  • Action
    • HD manager (or designee)
      • Creates a Problem ticket in TDX, which notifies ITS Communications through workflow
      • Adds new reports as they are submitted
      • Updates Problem ticket as appropriate
    • Communications 
      • Consults with HD manager about whether communication needs to be posted and/or sent; factors include how fast reports are coming in, who the alleged sender is, whether there are also compromised accounts, topic that is particularly enticing, etc.
        • If small scale, communication may be handled 1:1 with affected account holder(s)
      • Posts alert to Pioneer Portal/Email button
      • Posts to Facebook if appropriate
      • Mocks up screen shot with tips for recognizing this particular phishing attempt (Snagit)
        • Creates and publishes KB doc with relevant tags (title = Security – EXAMPLE: Phishing attempt MM.DD.YY)
 

Phase 2 – incident escalates

  • # of reports received = at least 30 OR increases quickly OR high value "sender" OR # of compromised accounts is high (at discretion of Help Desk Manager) 
  • Action
    • HD manager
      • Alerts Communications, if interaction hasn't already been established
    • Communications
      • Sends email to all-l@uwplatt.edu (active staff, faculty, and students; guests; emeriti); may also send to targeted group, e.g., staff-l or students-l, if more appropriate
        • See template in ITS Teams site: TEMPLATE_Phishing_UWP_Portal-Kb_051724.docx
        • Same verbiage as previous posts, including action to be taken; modify as necessary to fit the situation
        • If multiple attacks occur in short amount of time, include all in one email if possible
        • Signed: Communications person (or IT backup/designee) w/full signature
      • Post to FB if you haven’t already, if appropriate
    • Follow-up
      • Depending on situation, may send follow-up to recipients
        • Subject format: ITS Alert Update: Phishing attempt MM.DD.YY 
      • Depending on situation, post follow-up to Portal/Email button, FB

Please direct questions about this plan to Deb Meyer at meyerdeb@uwplatt.edu.