The only effective solution is to educate users, but that in itself is a difficult task.

Phishing attacks rely on users being gullible / distracted / ignorant. Telling users _not_ to be any of these usually results in angry answers such as "Are you implying I am stupid !?", and the important part of the dialogue where you explain things to be wary of is completely ignored.

Another way to communicate these things it to _phish your own users_. Email them a fishy message ultimately asking them their password for instance, the same way an attacker would. Of course, some phishing emails / sites look incredibly legit but in my experience most have noticeable deficiencies. If your users can spot at least those, then they can protect against a good number of attacks. Once the victim falls for the trap, redirect them to a page explaining how they were tricked, and showing what they need to pay attention to.

You even get their passwords, so that you can do some analysis and see how many will change it following the 'incident'.

Now that's the best idea I've heard all morning. You should be running Oxford's IT dept!

At best the users who don't care will continue not to care. At worst it will train users to think "oh, it's another drill, ho hum".

Somewhere in the middle is some deeply embarrassed Deputy Vice Chancellor who decides to make those horrid computer people his personal enemies.

How is that a bad outcome? Whether they think it's phishing or a drill, the important thing is that they don't enter their credentials.

I'm not sure I understand which users jacques_chester is talking about. There are users that can recognize phishing, and they are entitled not to care about your teaching. And then there are those that can't recognize phishing - or perhaps don't even know about it - but I'm pretty sure any user would start caring when they find out someone else can gain access to their email/bank/facebook/whatever online service they use if they aren't careful.

To avoid training users into thinking it's another drill, perhaps it's a good idea to 'attack' them at random intervals, and wait a few months before repeating (thus giving you enough time to prepare the new attack; giving the users enough time to forget about the threat, and to account for new arrivals).

I'd rather be embarrassed by the local BOFH, rather than be a real victim

This is a British university, not Goldman Sachs. The action was a dramatic, low-cost effort to get users' attention, educating users, if you like (from OP):

> While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the “chain reaction”.

I took that to mean, we were planning a longer term outage, but when it inconvenienced Someone Important, we were forced to reinstate the service, and to cover our rears, we're now claiming it was planned as a 2-hour outage from the very start.