February 2017: Learn What It Takes to Refuse the Phishing Bait!

Campus Security Awareness Campaign 2017
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting www.educause.edu/securityawareness.

Social engineering attacks come in all shapes and sizes — and not just through e-mail. Use this month’s ready-made content to increase awareness of phishing schemes and ultimately help students, faculty, and staff at your institution learn to recognize and properly respond to social engineering attacks. [Note: The September 2017 blog provides more information about ransomware.]

Get the Word Out

Newsletter or Website Content

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member.

According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.
When in Doubt poster image

Source: STOP. THINK. CONNECT. When in Doubt poster

Figure 1. Use this image to support your message.

 

Social Posts

Note: These are Twitter-ready, meeting the 140-character length restriction.

  • Hover over hyperlinks in e-mails to see where they truly lead. Better yet, type a known URL into your browser. #Phishing #CyberAware
  • “Verify your account by midnight or it will turn into a pumpkin!” Get a message urging you to take action? Delete it! #Phishing #CyberAware
  • Afraid you’ve fallen for a #phishing scam? Stop what you’re doing & change your password immediately! Then notify the Help Desk. #CyberAware
  • Receive a suspicious e-mail from a friend or colleague? Call them to ask if they sent it. #Phishing #CyberAware
  • Posting personal information publicly provides fuel for scam artists. #Phishing #CyberAware #PrivacyAware

E-Mail Signature

Ask staff members to add a tip to their e-mail signature block and a link to your institution’s information security page.

Example:

Jane Doe
Chief Information Security Office
XYZ College

Don’t be a victim of phishing. Legitimate messages don’t ask you to send sensitive information through insecure channels. Learn more. [Link “Learn more” to your institution’s phishing resources or link to NCSA’s Spam and Phishing page.] Remember: The XYZ College IT or Information Security Team will never ask for your password.

Embed or Share Videos

Tips for protecting your computer from malware (3:46 min)

An example of how a phishing attack happens and spreads (1:02 min)

Quick phishing facts (0:45 sec)

Microsoft video on five online security/privacy risks (3:35 min)

Resources

Share these resources with end users or use them to inform your awareness strategy.


Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).

© 2017 EDUCAUSE. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.