CAM 2023 Week 3 – Don’t Get Hooked!

Welcome to week 3 of Cybersecurity Awareness Month! I hope everyone had a great Fall Break and Mountain Day and are ready to continue the semester. I also hope everyone is making progress on the Virtual Scavenger Hunt. If you haven’t started, you can find the start page right here via this link. If you complete the hunt, you will be entered into a drawing for a pair of Bluetooth earbuds. More details are on the start page. Good luck!

So far this October we have talked about passwords and password managers, and multi-factor authentication. This week we will discuss the plague of phishing emails and social engineering in general. What is social engineering? It is any attempt to persuade you to do something you shouldn’t, at least when it is used by cyber attackers. It can be implemented via emails, text messages, voice calls, over social media and even face to face. We will particularly discuss emails, as that is the primary way many people are attacked, but the concepts work for any avenue of communication.

The Cybersecurity News & Alerts site has a Quick Info page on phishing and another one on how to report it so that the Office of Information Technology can take action on it. While it is important to report phishing emails, you first have to be able to spot them, so we’re going to focus on how to spot a phishing email. Here are some pointers on how to do that.

• The email has poor grammar, and words are misspelled or misused. This includes using uncommon words that are not part of normal communications.
• The email has unusual visual spacing of words, sentences, or paragraphs. Many phishing emails are constructed using scripts and this can cause them to look very strange in your browser or email client.
• You don’t know the sender, or you don’t have any kind of relationship with the company the email claims to be from. If you don’t have an account with Citibank, yet receive an email saying there is a problem with your account, it is probably a phishing email.
• The email claims to be URGENT!!! This is the number one indicator that this email may be a phishing email, especially if the urgency seems manufactured. For example, if you receive an email that claims there is an issue with your email account and you must click on the link in the email within 24 hours to correct it, this is most likely a phishing email.
• There are links you must follow or documents you must open to resolve the urgent situation. You should never have to click a link to resolve a problem with your bank account or any other account. You should always be able to simply go to the site (not by clicking the link, but by simply going to the login page) and check your account. If there is an issue, then it will notify you when you log in.
• You won a lottery you never entered. This is pretty self-explanatory, but some people believe they can be entered into a lottery without their knowledge.
• THERE’S A LOT OF CAPITALIZED LETTERS IN THE EMAIL, as if they are shouting at you. Again, pretty self-explanatory, but a good thing to keep in mind. A lot of capitalized letters in an email attempts to give it a more important “feel”, but is a strong sign it is a phishing email.
• The email claims your password is expiring, but says you can keep your existing password. If your password is expiring, it is expiring. These emails try to play on your desire to not have to deal with a problem and offer an easy fix – just click on the button and enter your current password and you get to keep it. No, this is not how this works.
• If the email claims to be from someone you know, but something seems odd, for example they use words and phrases they don’t normally use or use abbreviations and “Internet Speak” like LOL, OMG, etc., or they do usually do that and don’t in the email, contact the other person by another means (phone call, face to face, etc.). DON’T just reply to the email, this is what the attacker is hoping for…

Some of these tips are less useful than they use to be. With the advent of ChatGPT and other AI large language models, it is easier for cyber attackers to craft phishing emails with good grammar and spelling, but they tend to only use AI to write the initial email, not any of the follow up emails if you respond. Or, if they use AI to write the followup email, they tend to put at least one sentence at the end that is not AI written and is very different from the rest of the email in grammar, spelling, or word use.

Be alert to these signs to spot a phishing email. Again, these tips work for any kind of medium – email, text message, social media message, phone, or face to face. A face to face social engineering encounter is probably not something most of you will ever experience, but it is good to know these tips to be able to discern a social engineering attempt.

That’s it. Learn how to spot a phishing email and then take the time to report it, allowing the Office of Information Technology to use that report to help others. Don’t forget to jump into the scavenger hunt. The start link is at the top of this article. One more full week of October and we’ll be discussing updating your software and how important it is. Come back next week to get all the info!