Campus Security Awareness Campaign 2018
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting our security awareness resource page.
Even if you plan to implement a self-phishing program to increase user awareness, basic skills are still needed by the most susceptible. Situational awareness varies from office to home, and in our mobile society a compromise at home can easily become a problem elsewhere. This month's ready-made content can help your end users learn how to protect themselves against phishing on campus and off.
Get the Word Out
Newsletter or Website Content
Cybercriminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via e-mail. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an e-mail address can launch one.
According to Verizon's 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you're up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:
- Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
- Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk. (Many institutions now offer a "phish bowl" so end users can quickly and easily report phishy messages or view the latest scams.)
- Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
- Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
- Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
- Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from [email protected].
- Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
- Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.
Social Posts
Note: These are Twitter-ready, meeting the 140-character length restriction.
- E-mail attachments: A cybercriminal's #1 choice for spreading malicious software. Do not open unexpected attachments! #Phishing #CyberAware
- Hover to discover: Mouse over links in e-mail to reveal their true URL. Avoid getting phished—no hook for you! #Phishing #CyberAware
- Trust your instincts: Does that e-mail feel off? It probably is. Contact the sender to confirm it's legit. #Phishing #CyberAware
- Is it urgent? Slow down. Cybercriminals want you to do what you're told, when you're told. Think before you click. #Phishing #CyberAware
- Manage your social media carefully: Posting personal info online creates bait for scams and #phishing. #CyberAware #PrivacyAware
- Remember: #Phishing is social engineering and it's not just for e-mail! You can get phished by phone or text message. #CyberAware
E-Mail Signature
Ask staff members to add a tip to their e-mail signature block and link to your institution's information security page.
Example:
Jane Doe
Information Security Office
XYZ College
If you don't catch the phish, the phish will catch you. Don't fall victim to a phishing attack. Learn more. [Link "Learn more." to your institution's information security department page or NCSA's tips and resources for spam and phishing [https://staysafeonline.org/stay-safe-online/online-safety-basics/spam-and-phishing/].]
Embed or Share Videos
Don't Get Hooked by Phishing (1:28 min)
What Is Phishing and How Do I Protect Myself? (2:28 min)
Resources
Share these resources with end users or use them to inform your awareness strategy:
- Use the Federal Trade Commission (FTC) Consumer information: Phishing website to educate vulnerable users.
- Visit the United States Computer Emergency Readiness Team (US-CERT) website on Avoiding Social Engineering and Phishing Attacks for more useful advice.
- Share these infographics: How to Recognize and Avoid Phishing Attacks (Digital Guardian) and How Phishing Works (Citrix ShareFile).
- Explore the possible benefits of deploying a phishing simulation program on your campus. Review related EDUCAUSE resources, including a webinar and blog post on phishing campaigns.
- See our previous Campus Security Awareness Campaign blogs about phishing and ransomware: February 2017: Learn What It Takes to Refuse the Phishing Bait, September 2017: Avoiding Ransomware Attacks, and April 2016: Don't Get Hooked
Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).