November News from Information Security

…and our Cybersecurity Awareness Month Wrap-Up!

Is it already November? Absolutely, it is, and I know everyone is welcoming the fall weather and the approaching end of classes. We just had a super October celebrating Cybersecurity Awareness Month. Thank you to everyone who read the weekly articles, participated in the virtual scavenger hunt, and completed their cybersecurity awareness training. We’ll recap Cybersecurity Awareness Month first, then get to November news.

As a reminder, we covered passwords and password managers in the first week, multi-factor authentication in the second week, phishing in the third week, and the importance of updating software in the last week. The statistics on the website indicate that many of you took a look at the articles. I hope you learned or remembered something important relating to cybersecurity awareness from them.

Thirty-three of you participated in the virtual scavenger hunt and nine of you finished it. The drawings for the prizes have been completed and the grand prize winner of the Bluetooth earbuds is Haley Richards. Of those that completed week 1 of the hunt, Joe Shimko won the weekly participation prize. The prize for week 2 participation was won by Cris deRevere. The last two week’s prizes were won by Suzanne McAdams for week 3 and Autumn Young for week 4. I’ll contact each person via email also and make arrangements for prizes. Congratulations and thank you to everyone who participated in the hunt. We’ll do another one in the spring.

November 10th is approaching quickly. This is the deadline to complete the cybersecurity awareness training for the fall. Only 739 of you have completed this as of the publication of this newsletter. Please take a few minutes soon and complete the training. If your link in the email doesn’t work (and for reasons we don’t understand, most do not) you can either go to https://myapps.berry.edu and click on Berry Security Awareness or go to https://berry.litmos.com and click on the link on the left side that says “Sign in with your Berry account”. Don’t attempt to put your email address and password into the fields on the right side of the page. This will not work, but I can’t remove those from the page. Just click the link there and it will take you through the login process, or, if you are already authenticated to your Berry account, it will take you directly into the training platform. The course is labeled “Biannual Cybersecurity Awareness Training – Fall 2023”. Thank you to everyone who has completed this training already, and for those who haven’t and are having trouble getting into the training platform, please let me know. You can email infosec@berry.edu or me directly – dboyd@berry.edu.

One thing that happened during October as part of our Cybersecurity Awareness Month activities that we did not talk much about was our simulated phishing campaign. As part of this campaign, four different phishing emails were sent to the community over a two week time period. We wanted to get an idea of how well the community could spot phishing emails and how many of you would take the time to report them. I’ll say that we are better at spotting some kinds of phishing than others, but our numbers indicate that we are pretty good overall. Our ultimate goal, of course, is that we are 100% accurate in spotting phishing emails, but we live in an imperfect world, so that will probably never happen.

As mentioned already, we sent out four different emails. One was a “keep your password” email. Of the 1979 of you who saw the email only about 2% of you were fooled and over 6% of you reported it. The 2% result is much lower than the predicted failure rate of 21%. An email about a fake dog sitting opportunity showed similar results, with a 1.89% failure rate versus a predicted 70% failure rate. And thankfully, no one wanted a free piano…that fake email only had a .18% failure rate. However, we did manage to fool a few more people with a fake “2FA” email that unfortunately coincided with a change in Microsoft policy about what factors they will accept for multi-factor authentication. Over 8% of the 2073 people who read the message clicked on the link and “granted access” to their account. That was a tough email to spot, but we still beat the expected 20% failure rate. Thank you to everyone who spotted these emails and reported them.

Going right along with that thread of thought, remember that the way we report phishing emails is changing this semester. The “Phish Alert Report” button is going away in favor of the “Report Message” button. Both are currently available, but the “Phish Alert Report” button will disappear in December.

Now for some November news. When ChatGPT and other AI tools were launched, many believed that this would increase both the quantity and quality of phishing emails. Those people were not wrong. A company called SlashNext just released a report that includes the scary statistic of a 1265% increase in phishing emails over the last 12 months. There was a 967% increase in credential phishing emails alone. I’m sure many of you have noticed the extra emails in your inbox, as I have noticed a marked increase in reports of phishing emails.

Not only have there been more emails, they have been trickier and harder to spot. Attackers are using new techniques to try and steal credentials or compromise accounts. Many of you have probably seen emails come through that claim someone has shared a document with you, or that you need to “verify” your account or some other urgent message. The only other thing in the email is a QR code that you are supposed to scan with your phone to complete the urgent task. This is not what QR codes are for. They are very convenient for all kinds of things – menus in restaurants, contacting technical support for wi-fi issues, getting more information about a topic on a poster or flyer, and many other uses, but NOT for verifying your account or accessing a shared document.

If you think about it, the entire premise is silly. You’ve received an email and if you are reading the email on your desktop/laptop, why must you use you phone to access a shared document or complete an important account-related task? Scanning a QR code in an email is not impossible, but tricky to do if you are on your phone reading the email. Don’t fall for these “QR code” phishing emails. I can assure you that the Office of Information technology will never send you a QR code in an email to accomplish any important task. You might see a QR code on a poster or flyer, but not in an email.

That’s it! I know this read was somewhat lengthy, but there was a lot I needed to pass along to everyone.

All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.

Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted.

Food for Thought

This month’s food for thought is a little dark, as it is a reflection on the untimely death of Matthew Perry, star of Friends. I present it because the video speaks to a phenomenon not experienced by most college-age students these days – gathering around a TV at a set time on a specific day (because that was when a particular show aired) to have a common experience – watching an iconic television show. Sure, we can still gather around a TV or other screen to watch shows, but when Friends was originally running on NBC, you had to watch it on Thursday night at 8PM, or you had to set your VCR or DVR to record it to watch later…I know some of you remember this experience…Jesse Watters also speaks to a lack of unity in America, and while I don’t think streaming video is really a culprit of this change, it definitely didn’t help. Shared experiences are part of building community. Yes, this video originally aired on Fox News, but brace yourself and take a few minutes to watch it…it is worth it.

Featured Image: Photo by Ruvim Noga on Unsplash