We get phishing scams approx. once a week and of course, usually on weekends. This is a brief rundown on how we deal with it:
* Notices on the front webmail page that we never ask for a password
* Routine email announcements reminding users we never ask for a password
* As soon as we get details of a possible phishing scam, we get the reply-to address (always different than the sender address)
* We add it to a list of blacklist recipients (we have a small patch for amavis to add a high score to a recipient address)
* We then search the logs for users that replied to the email
* Then we look in their Sent folders for the reply and verify they indeed sent the information
* If they password was sent out, we lock the accounts and change their passwords |