Tag Archives: social

NCSAM 2018 – Beware of the Phish

National Cyber Security Awareness Month (NCSAM) 2018

According to Verizon’s 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you’re up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

    • Don’t click! If you believe an email message is a form of social engineering such as a phishing attempt, forward the email as an attachment to abuse@sulross.edu.  If you don’t trust the e-mail (or text message), don’t trust the links in it either. Beware of links that are hidden by URL shorteners or text like “Click Here.” They may link to a phishing site or a form designed to steal your username and password.  If you do click on a link and end up at a site you believe is attempting to steal your LoboID and password, stop immediately and contact LTAC.
    • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.  Consider even the information posted on your department’s public website.  This is a primary source for cybercriminals to figure out how to contact you and your coworkers.
    • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Neither will OIT. Still not sure if the e-mail is a phish? Contact LTAC or the Office of the CIO.
    • Beware of attachments. E-mail attachments are a common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
    • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they’re trying to imitate. There’s nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.  if you can, contact the individual that supposedly sent the email through another means and verify whether or not the email is legitimate.
    • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
    • Check the sender. Check the sender’s e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
    • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.

     

  • Continue to stay vigilant and send any you receive as an attachment to abuse@sulross.edu.  Your input is valuable as we look at and evaluate each instance to determine an appropriate course of action.
  • If you need assistance or have questions, you may contact LTAC at techassist@sulross.edu, 432-837-8888, x.8888, or toll free at 888-837-2882.Follow us on Twitter @SRSUOIT

    Like us Facebook SRSUOIT

Keeping It Private

You exist in digital form all over the Internet. It is thus important to ensure that the digital “You” matches what you are intending to share. It is also critical to guard your privacy — not only to avoid embarrassment, but also to protect your identity and finances!

Following are specific steps you can take to protect your online information, identity, and privacy.

  • Use a unique password for each site. Hackers often use previously compromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
  • Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site. See https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201310_en.pdf for more info on password managers.  The OIT department uses Lastpass for our purposes and have found it easy to use and secure.
  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.

(Taken in part from the EducauseReview website)