April is here and the semester is winding down. I hope everyone’s semester is going well and you are able to both get all your work done and enjoy the spring weather. I have two topics this month that are not new, but, as all things cybersecurity related, have changed, intensified or obviously need clarification. Those topics are phishing emails and keeping your personal activities separate from your work activities. I want to take a slightly different approach to these two topics, so hang with me and take the next few minutes to finish reading this newsletter. Before we dive into the topics, let me take this opportunity to remind you to complete your cybersecurity awareness training for spring 2025. Notices will be going out soon to department heads and deans to help nudge you along. “That’s all I have to say about that.”
Phishing emails will never go away, but they will get more sophisticated and attackers will use every method they can to get you to trust an email enough to click a link or open an attachment. One very popular method is to use valid services to deliver phishing emails. This can happen in a number of ways.
The first method involves getting control of an account at a legitimate organization, then using the resources of that account to attack others. If an attacker gains control of a salesperson’s account, they can then “jump into” existing email threads, using current and legitimate conversations to send malicious links or attachments. The hope is that the potential victim will readily open an attachment or click on a link because they are “mid-conversation” with the hacked account. The only good way to spot these attacks is to notice whether or not the email requesting you click a link or open an attachment is similar to previous emails AND has none of the traditional phishing email “tells” like greetings with no names, vague language, and false senses of urgency about needing to quickly review the attached or linked document. Some even have poor grammar and spelling, although that is becoming uncommon with the advent of generative artificial intelligence (gen AI). Pay attention to all emails and always have your skeptic’s glasses on.
The second method is even easier. An attacker will create a dummy account with Google, Microsoft, DocuSign, PayPal, or other legitimate service and start sending out emails sharing “important documents”, fake invoices or other emails designed to instill a sense of urgency in the recipient. Because these emails come from legitimate companies, it is difficult to stop them, as it is not possible to block the address, as it is usually some generic sending address for the domain. As a cybersecurity defender, we are forced to try to block the emails based on multiple attributes like subject (still not possible sometimes, as many of the subjects are generic) or email body content, which means we are always being reactive to these instead of preventative. As a cybersecurity defender, we want to be preventative, not reactive.
This thought segues us to the second topic, which is yet another recommendation to not handle your personal activities in your work email. This is a bad idea, as it opens you up to potentially receiving lots of emails that are unrelated to your work and may actually be malicious. As one particular user and maybe more of you on campus have learned, once you get on a particular spammer/phisher list, you may receive multiple emails a day attempting to trick you into clicking a link or opening an attachment, or simply trying to get you to take advantage of a scam. Our systems filter out (or possibly allow) all kinds of junk email every day, including:
- Car warranty offers
- Home warranty offers
- Lawn care and home maintenance ads
- Loan offers
- Neighborhood/community emails from social media sites for things like free items and community gatherings
- Sales notices from specialty stores, including music stores, home furnishing stores, big box hardware and lumber stores, and any number of other things better sent to personal email addresses.
I want to be VERY clear about this. There is no real opposition to you using your Berry email address to gain discounts on some items or services. There are great deals out there for people who work in academia. However, you should not use you Berry account for things like social media, banking and financial accounts, medical and insurance sites, or any other accounts that may involve personal, sensitive, or financial information. Yes, way back in the day, you had to have a .edu account to get on Facebook, but that is not the case anymore and you really should change your email address for Facebook to your personal email address. That goes for any other social media or similar site. There are too many malicious images and links running around Facebook and other social media to safely use your Berry account with them.
It’s not just to protect Berry that I argue this point. It is to protect you. Using your Berry account for sensitive, financial, or medical accounts leaves you open to the possibility that if Berry should ever have to put a legal hold on email accounts related to a legal or criminal case, and if those accounts then have to be turned over as evidence, your personal information may be seen by people you never intended for it to be seen by. Just think about it…
Along those lines, I also ask employees to carefully consider whether or not you should browse social media sites on your work computer. I understand everyone may do this at one time or another (even I do on occasion), but if you have any reservations about a particular link or image in a post, wait until you are on your own computer or device to investigate it. We are attacked enough without inviting the attack into our browser by surfing social media.
That’s all for April. I usually put some tax season tips into this newsletter, but these two topics seemed far more important based on recent events. Until May!
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
This month you get a 2 for 1 Food For Thought. The first video is a cover of “Sultans of Swing” by Mary Spender (featured here before) and her colleague Josh Turner. It is missing the dulcet, sarcastic tones of Mark Knopfler, but the guitar work is gorgeous! The second video is of one of my favorite guitar players of all time, sadly gone a long time now, Stevie Ray Vaughn, doing a cover of Little Wing, one of the best I’ve ever heard. The recording is not very high fidelity, but you can still hear the greatness. He did release this on his album The Sky Is Crying, so drop that into your playlist to hear a better recording. In fact, drop the whole album into your playlist because Little Wing isn’t even the best song on the album.
Featured Image: Photo by Brant Sanderlin/Berry College
April News from Information Security
