To Counter-Phish or not to Counter-Phish, that is the question


(Bryan Gonzalez) #1

My fellow system admin and I, at our org are contemplating setting up a shared mailbox for counter-phishing. It should work as follows: If one of our users get the urge to counter-phish a bad actor, they should instead forward the email to “John Doe, the fellow that usually handles these types of requests”. We then, as John Doe, attempt to request additional details from the actor in an effort to get actionable information.
Benefits include:

  • Have an easy to reference conversation history to provide to law enforcement
  • Offloads responsibility from the end user
    However, we’re questioning what kind of liability we’re taking on by taking this approach. I’m sure this is not a novel idea, nor are we the first to suggest this, but is this a common practice?
    Is this even a worthwhile endeavor?
    Are we indirectly exposing ourselves to more abuse by essentially telling the actor that he’s got a live email?
    Is there a case study anywhere explaining the efficacy of counter-phishing vs just ignoring them?