Slashdot is having a really pretty sensible discussion of an issue which has been of concern to me in the last week or two, as I run a mail server in that institution.
We've has a few google docs phishing scams come around at our university and if ITS responded by blocking access to Google docs there would be hell. The number of group projects I have that are relying on it to co-write papers an maintain our data.... If an assignment were late because people couldn't access the documents at the time they had free to work on them it would be no small deal.
I think the broader question is interesting though, how to stop people from getting phished. I think IT people have a tendency to just think "it is as easy as not being stupid." and that opinion is expressed at least once in that discussion. Claiming that people who fall for scams that get past their spam filters are stupid is like claiming that people who don't catch grammar mistakes their word processor doesn't catch are stupid. It is easy to see glaring mistakes when you are and expert, but most users are not experts in this and have passed the responsibility to someone else, and that is where some of the problem lies.
Last year one of my classes did a design jam* on this topic. Our task was to develop a solution to people clicking on phishing scams (in particular ones which had a "this might be a scam" warning on top, which people still click on at alarming rates). My team's (winning) solution was a university wide campaign leveraging the group identity of being a member of the university to reinforce that being careful about email messages is a shared value. We made used of our school rivalry to rename "getting phished" to "getting Buckeyed" and developed major specific messages which would resonate with specific values held by subgroups of our population (for example the one for English majors focused on close reading and analysis). Then had the pop-over warning use the phrase "don't get buckeyed" to force a recollection of the rest of the campaign. The last part though, was the weakest part of our plan for two reasons.
First, since our Email is maintained by Google, I am not sure our ITS department could change the text of that message if they wanted to, and second I still feel that having warning messages on some scams makes it more likely that people will fall for scams which have not been tagged with a warning. I think seeing a message like that reinforces that someone else is checking your messages for scams and so you don't need to be as vigilant, but it is inevitable that some scams will get through.
Solutions which just reinforce "don't ever give out personal information based on an email" also don't work, because we frequently
do have to give out personal information based on emails. It just requires us to log into a secure and trusted site to do it, not to enter the data into an online form. Once a year my University emails me to remind me to update my emergency contact information. They are emailing me to ask me for personal information. But, instead of a link to a form, I am required to go to the university website and log in. Simple rules have simple workarounds for scammers. What is needed is a way to get users to think critically about each email.
Another solution offered on that was the "name and shame" which his/her boss is right to be against. The number one rule pounded into my head in my Social Influence class (the one this design jam was for) was DON'T SHOW PEOPLE DOING THE BEHAVIOR YOU WANT TO DISCOURAGE. If you publish a list of people who have been scammed, or even tell people "yesterday 307 people were phished, you should be more careful!" you are reassuring them that this is normal, and it happens, and so if it happens to them they are not alone. It is miles more effective to make people feel like this is a behavior which is abnormal and which makes them different than most people. If there is one thing people hate it is to stick out being 'worse' than their peers.
It is actually really difficult to develop a campaign which avoids showing an unwanted behavior: Smoking, Texting and driving, underage drinking.... PSAs about these almost always show someone doing the thing that is unwanted, and frequently they are the
only person in the ad.
Anyways, I have gone off on a really long rant now, and I want some lunch.
*I don't know if the phrase design jam is common outside of iSchools, or even outside of my school for that matter. It is a casual, short brainstorming contest meant to find solutions to real world problems. Teams of people with different expertise brainstorm, then develop a solution, get input from the larger group and then redevelop. At the end all potential solutions are presented and voted on.