Tag Archives: phishing

NCSAM 2018 – Beware of the Phish

National Cyber Security Awareness Month (NCSAM) 2018

According to Verizon’s 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you’re up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

    • Don’t click! If you believe an email message is a form of social engineering such as a phishing attempt, forward the email as an attachment to abuse@sulross.edu.  If you don’t trust the e-mail (or text message), don’t trust the links in it either. Beware of links that are hidden by URL shorteners or text like “Click Here.” They may link to a phishing site or a form designed to steal your username and password.  If you do click on a link and end up at a site you believe is attempting to steal your LoboID and password, stop immediately and contact LTAC.
    • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.  Consider even the information posted on your department’s public website.  This is a primary source for cybercriminals to figure out how to contact you and your coworkers.
    • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Neither will OIT. Still not sure if the e-mail is a phish? Contact LTAC or the Office of the CIO.
    • Beware of attachments. E-mail attachments are a common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
    • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they’re trying to imitate. There’s nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.  if you can, contact the individual that supposedly sent the email through another means and verify whether or not the email is legitimate.
    • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
    • Check the sender. Check the sender’s e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
    • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.

     

  • Continue to stay vigilant and send any you receive as an attachment to abuse@sulross.edu.  Your input is valuable as we look at and evaluate each instance to determine an appropriate course of action.
  • If you need assistance or have questions, you may contact LTAC at techassist@sulross.edu, 432-837-8888, x.8888, or toll free at 888-837-2882.Follow us on Twitter @SRSUOIT

    Like us Facebook SRSUOIT

Learn What It Takes to Refuse the Phishing Bait!

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member.

According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.

Think Before You Click

Phishing attempts are fraudulent email messages that appear to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages direct you to divulge private information (e.g., passphrase, credit card, or other account updates).

These scams are designed to induce panic in the reader. They attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

Things to know and remember when opening ANY e-mail that is asking you to provide information:
– No reputable organization, including OIT, will ever ask you for confidential information via e-mail.
– Never respond to an e-mail from a source you are not 100 percent sure of. When in doubt, call them.
– Always check the authenticity of a Web site before you provide any of your personal information.
– Never click on a link in a suspicious e-mail because it may take you to a malicious site. Open a new browser window and type in the link manually.
– Phishing e-mail will often have a sense of urgency. (“Your account will be closed if you don’t…” etc.) They may also contain strange words, misspelled words or unusual or awkward phrasing to help them avoid SPAM-filtering software.

With the recent rise in phishing activity, be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.