June News from Information Security

Welcome to nearly the end of June! I hope everyone is adjusting well to the summer temperatures. The newsletter has taken a back seat to a number of other initiatives in process and will be brief and to the point. As we approach the end of our fiscal year, there are many irons in the fire for everyone. I have two interesting points to make about phishing emails (what else?), a reminder about proper email hygiene, and a question about cybersecurity awareness training frequency and duration.

According to Abnormal Security, an email security provider, the volume of phishing attacks against US organizations rose 91.5% from April 2023 to April 2024. This near-doubling of phishing volume can be attributed to some degree to the use of AI by phishers, but the percentage increase is not as alarming as the improved spelling and grammar in recent phishing attacks. This used to be an important red flag to detect phishing attacks, but is becoming less useful. More important red flags such as recognizing the use of urgency, mismatched sender names and email addresses (i.e. “Steve Briggs” asdf3456@gmail.com), and more subtle, contextual clues are becoming far more important. Will there still be phishing emails with poor grammar and spelling? Of course, but the truly dangerous ones will require deeper understanding and increased awareness to effectively spot.

For example, a favorite tactic of phishers is to gain access to an account at a business, then insert themselves into conversations already in progress. An attacker might see a conversation between the company and a customer and insert a phishing email into that conversation, either with a malicious link or a malware-laden attachment. It is easy for a customer who has been emailing with a company to not carefully read emails that are part of an existing conversation and mistakenly click on a link or open an attachment. Always approach any email with an appropriate amount of caution, even emails that are part of an ongoing conversation. You just don’t know when an email account might get compromised.

This is especially true if you mix your personal business in with your work email. As a reminder, you should not use your Berry email address to conduct personal business. Instances where you might receive a discount or special access for having a .edu account are different, but in most cases, your personal activities should not be handled in your Berry email. If you are currently using your Berry email address for personal business like utilities, banking, credit card accounts, and the like, please make an effort to move these activities to personal email accounts. If you don’t want Google or Microsoft to see your personal business, consider getting a paid email account. I’ve included some information on some of these options in a previous newsletter.

Finally, I have a question about our required cybersecurity awareness training. We currently do this twice a year, during the fall and spring semesters. The course generally takes between 20 and 30 minutes to complete. What if we were to move to an every other week, less than 3 minutes training cadence? Would you like that or hate it? Yes, it would be more frequent, but it would go by quickly. What if we stayed with the current twice a year, 20-30 minutes format, but could offer a “pre-course assessment” that could exempt you from portions of (or potentially all of) the training? Would either of these options be better than what we do now? Please send your thoughts via an email to me directly at dboyd@berry.edu, or if you are reading this within 30 days of its publication, you can leave a comment below.

That’s it for June. Newsletters will go back to a longer form starting in July and will go back to posting the first full week of the month in September…at least that is the plan. Please let me know if you have topics of concern that I have not covered recently (or at all).

All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

Please continue to report those phishing emails! Avoid using “unsubscribe” links and report spam via the “Report message” button, just like you would a phishing email.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.

Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.

Food For Thought

How about some comedy to take you away from all that summer work for a few minutes?

Featured Image: Photo by Dakota Roos on Unsplash