Welcome back and I hope your first week and weekend of the fall 2021 semester was good. It is now September and believe it or not, all of you students are already expected to have just fallen into a rhythm and be moving along with the flow of classes and work. If you are not at this point, don’t worry…fake it until you make it! You’ll eventually figure out the balance of the three “S” components of college life as a student – studies, socializing and sleep. For those who are not students, welcome back to the school year, the time when you get to continue doing everything you were already doing AND have students back in classes, LifeWorks positions, and all over campus. Keep smiling everyone, even behind your masks. Real smiles really do show in the eyes, too.
But on to cybersecurity news. I mentioned in the last newsletter that everything going on was leaving many of us distracted. I also said that distracted people are easier to socially engineer with fake emails, phone calls and texts. Since then, we have even more things to distract, disturb and discombobulate us. Rising COVID cases and disastrous events both right here in America and on foreign soils all pile up to the point we may feel we must make quick decisions and react decisively just to believe we have a smidgeon of control over anything. That’s why it’s even more important to pause and take that breath when an unexpected email, text, or phone call comes.
“We know all of this,” you say. “Tell us what is new in cybersecurity,” you demand. I know, you probably didn’t demand, or even think that, but it makes me feel good to think that you did. Unfortunately, the news is the same. We have more phishing emails coming every day. Reported phishing emails increased by over 25% from July to August, with the percentage of those that were confirmed malicious increasing by 15%. The top three phishing email types we get are:
- “Congratulations on your purchase!” emails that only provide a phone number to contact the “seller”. These are designed to get you on the phone and attempt to convince you that to cancel this multi-hundred dollar (or more) purchase and get your “refund”, you have to download some piece of software onto your computer. Don’t fall for these! The phone operators are fairly well trained and have no qualms in haranguing you about this fake purchase. They will call multiple times if you make first contact. Block the number and forget about them.
- Gift card buying scams. These emails usually impersonate a supervisor or even a member of the college administration and attempt to get you to go out and buy gift cards and provide the redemption codes via text or email. They usually begin with a short email that asks “are you available?”. They then ask for a favor if you respond. We as humans tend to like to be helpful, especially to those for whom we work. The explanation of buying gift cards is almost always a son, daughter, niece, nephew, or other special person’s birthday that they can’t go and buy something for because they are stuck in meetings. Don’t do this…there is no recovering that money once you turn over the redemption codes.
- Fake password expiration notifications that usually provide a button to “Keep same password”. I can confidently assure you that the Office of Information Technology will NEVER allow you to keep the same password. I promise. If we are asking you to change you password because of either exposure or expiration, we mean “change your password”.
If you receive emails like the ones above or other “phishy” emails, please report them using the “Report Email as Phishing” button, available in Outlook, on the email website mail.berry.edu, or, if you are using the Outlook app on your Android or Apple phone, it is available under the “three dots” menu when viewing an email. The button looks like this:
Click on the button, follow the prompts and report it. If you don’t have access to Outlook or mail.berry.edu, you can also forward these emails to “phishreport@berry.edu”.
Either method lets me review it and take any needed action. You can also report spam emails using this same button, but that only lets me know that there might be some wide-spread spam out there. It doesn’t help you or inform Microsoft about it, so if you want to report it as spam and help keep it out of your inbox, do so before reporting it using the “Report Email as Phishing” button. If you don’t know if an email is spam or phishing, as some look very similar, report it and I will review it. As I have mentioned to many of you in previous emails, I would rather review a hundred spam emails that someone thought was phishing than let one phishing email get by.
There is something new in cybersecurity at Berry coming soon. You may have already guessed this based on recent newsletters, but this makes it official. While the name of my office and title will not change, I am making a change to this website. Instead of it being the “Infosec News & Alerts” site, it will be renamed to the “Cybersecurity News & Alerts” site. Everything from the front page title and layout to the little icon in your browser tab will change. We are working on additional sections for the site and other changes, so be sure to check it out on October 1st.
Why October 1st, you ask? So glad you did! October is, of course, Cybersecurity Awareness Month! Berry will again participate in this international event with hundreds of other schools, organizations, and businesses across the United States and in many other countries. In addition to the new website, there will be another virtual scavenger hunt with great prizes up for grabs for completion and participation. There will also be videos to watch and training sessions to attend. Plans are still being finalized. More information on all of these opportunities will be in the October newsletter and in upcoming social media posts on Twitter, Facebook and Instagram. Be sure to follow Berry OIT on the various platforms – Facebook (@BerryCollegeOIT), Twitter (@berryoit), and Instagram (@berrycollegeoit).
“But there’s never any posts from Information Security on them,” you cry! That too is changing, as we have been able to add a part-time intern AND a new student worker position to the office. There will be social media posts! So follow our social media accounts for updates, announcements and occasional alerts. We hope to provide information via these channels at least twice a week in the upcoming weeks and more than that during October’s Cybersecurity Awareness Month. Social media is happening!!!
Um…uh, well, uh…sorry for the overexcitement there. I am pretty pumped to have help in the office.
Now for the stack of reminders…
You now should have MFA enabled on your account. The most secure way to configure it is to use the Microsoft Authenticator on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the current posts page.
You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted.
Food for Thought
If you enjoyed last month’s Food for Thought, you will love this one.
Featured image: Photo by Brett Jordan on Unsplash