Anti-phishing e-mail from MIT exemplifies how organizations train people to fall for phishing attempts

The famed research university, the Massachusetts Institute of Technology, would rather spy on its students, staff, professors, contractors and the like than keep them safe from scammers and phishers trying to steal their information.

They sent everyone an e-mail where every link to more information has exactly the kind of URL you should look at and never, not ever click.

On Thu, Nov 3, 2016 at 3:56 PM, John Charles <> wrote:____

John Charles, Vice President for Information Systems and Technology____

Dear MIT faculty and staff,____

Over the past three years, Information Systems and Technology (IS&T) has
taken many steps to enhance the safety and security of MIT's information
technology (IT) infrastructure. With guidance from the Information
Technology Governance Committee
(ITGC), we have examined how we deliver network services to the
community. We have modified practices to establish a higher level of
resilience for our network while accommodating the needs of our faculty,
students and staff.____

The Information Protection @ MIT
website provides easy access to policies, resources and guidance related
to safeguarding sensitive data at the Institute. The site also provides
information to help community members protect their own personal data.
Resources at the Training
tab will help you understand the Institute policies and procedures that
need to be followed to comply with local and federal legislation related
to data protection.____

Additionally, the Tools
tab lists several software tools and services to help you find, delete,
or protect sensitive information. You can keep your machine clean by
using the CrowdStrike Falcon anti-malware service; protect your
passwords using the LastPass password management tool; find and redact
sensitive data using Spirion (formerly Identity Finder); and encrypt
your data using FileVault or BitLocker. All of these tools are available
to MIT community members at no cost.____

Connect with care – when in doubt, throw it out. This year has seen an
increase in phishing
emails and ransomware
attacks. Cybercriminals try to infect your device by getting you to
click on links within emails. If an email looks suspicious, delete it.
These scams provide yet another compelling reason to back up your files
using the cloud-based CrashPlan

Various units across MIT share responsibility for maintaining records
and providing oversight. Faculty and staff who create, transmit, or
store sensitive data
can learn best practices by watching a series of brief videos
on desktop, Internet and data security. David LaPorte
<>, who directs IS&T’s security programs, is
available to answer specific questions or offer guidance on recommended


John Charles____

One of the very links in this e-mail hidden behind the ridiculous domain (but which redirects to content from the MIT page ) has this advice for spotting the danger of a phishing e-mail:

“Includes a hyperlink that has an odd looking URL (for instance with a foreign country as the domain, or trying to match a legitimate web address but spelled differently)”

I didn’t realize we’re dealing with the Vice President for Information Systems and Technology. They really do have to be made to understand that they are teaching people to fall for phishing e-mails by not using at least an MIT domain tracking/redirect service instead of — it’s foreign and it looks like it’s trying to impersonate MIT. It is exactly what their own advice says is a warning sign for a phishing e-mail! And then when they say just kidding, trust it when it’s from us, all their advice is worse than wasted, and some nuclear-security-clearance researcher at MIT is going to accidentally give secrets to the Russians before Trump does.

(Narrator: It was not possible to make MIT understand how wrong it is to send e-mails like this.)

Dear John Charles, I was hesitant to click on the CrashPlan link because when I moused over it showed a strange link that I did not trust.

Is there a way to easily ascertain its veracity?

Response (from David LaPorte <> )

Thank you for the feedback and for your keen eye. The links in this communication were instrumented for analytical purposes, for us to better understand how well the email was received and if any of the included links were explored. All links in the email are safe to click on – thank you again for your concern and caution!

So i repeat: Massachusetts Institute of Technology would rather spy on people than help keep them safe from scammers and phishers trying to steal their information.