February News from Information Security

Posted by Dan Boyd Posted on February 9, 2026 0 Comments on February News from Information Security 2 Likes 45 Views
Posted in Newsletter Tagged , , ,

The new year is hurtling along and February is upon us. Cybersecurity awareness training has rolled out for the semester and I want to take this moment to thank the more than 150 users who have already completed the training. I designed it to be fast, widely applicable, and easy to complete. I hope you find it so. Since I didn’t put a lot of content about phishing in the training course, I will take this opportunity to update everyone about the current state of phishing now that we have had generative AI around for years.

Attackers are definitely using AI to generate their emails, texts, and even phone calls. It might not be easy to spot the first email in a phishing attack, because these emails are generally well written (by AI) with proper grammar, no misspelled words, and smoothly flowing narrative about whatever bait they are using to try and hook you. Thankfully, AI is many times abandoned in the second email of an attack. If you had the misfortune to fall for the first salvo from the attacker, you will may find yourself a tiny bit embarrassed once you read the second email, with the egregious grammar issues and misspellings.

The big question is – how can we avoid being fooled by those first emails? It is admittedly harder and harder to detect phishing emails, as many of them are sent using legitimate services, including Microsoft, Zoom, PayPal, Adobe, DocuSign, Google and others. Almost any service you receive legitimate emails from can be manipulated to send phishing emails. So, again, how can we avoid being fooled? Here’s a list of characteristics I have noticed in recent phishing emails:

  • While the service is familiar, the origin of the email is not from the US division of the company. This can be detected in the text of the “small print” usually at the bottom of the email or in links in the email body…if these elements are not in English, that email is highly suspect.
  • For emails that are relayed through these services, i.e., a calendar invite from Google, if the original sender address is obviously not an American address, the email is again, highly suspect. The obvious question is – how do I know this email came from another country? Email addresses that end with two-letter combinations are generally foreign addresses – i.e. .uk is the United Kingdom, .th is Thailand, .in is India. However, there are many more “top level addresses” (that last part of an email address or domain name – for us, this is usually .com, .org, .edu, or .net) these days, including .io, .ai, and .us (an available top level address for the US). If you are not sure what that last part of the email address means (and as much as I loathe recommending Wikipedia for anything) you can generally find them on the Wikipedia page of top level domains.
  • Attackers are using compromised school accounts to send their emails. Attackers will send their emails from dozens of compromised accounts, preventing anyone like me, who is supposed to be trying to stop these attacks, from simply blocking the sending address, because there are too many. A huge percentage of these accounts are academic email addresses from other countries. You can spot these by looking at the next to last part of the email address. As an example (I don’t know if this email exists or not, but I’m using it as an example anyway), take the address “tsingh@jero.ac.in”. The last two letters of the address indicate it is from India, but the previous two letters, “ac”, designate it as an academic address, just as our .edu addresses designate us as an academic institution. I would estimate that over 60% of current phishing emails come from compromised academic accounts in other countries.
  • Aside from the characteristics of the origin of these emails, there is also a relatively new tactic for convincing a potential victim they must open an attachment, click a link, or make a phone call. Emails come in that state an expensive purchase has been made or a high-dollar charge is “pending on your account”. This is usually for intangible goods like subscriptions to services, the purchase of cryptocurrency, warranty “renewals” or other things that are made entirely of zeros and ones in a computer. The charges are always happening today or tomorrow (or already happened), and most importantly (especially if there is no attachment on the email), the only way to avoid this charge is to call a support number. There will be NO link to a webpage in the email.

These four characteristics have been present in a huge percentage of recent phishing attacks. Regardless, the number one indicator of whether an email is legitimate or not is still – urgency. Attackers have to convince potential victims to make bad decisions. You might be “pretty sure” you didn’t buy any Bitcoin or renew a digital subscription or warranty, but since you only have a few hours to call that number and make sure, you may be inclined to do so. Once you call, you will speak with an operator who (usually) speaks excellent English and just wants to help you resolve the situation. They may try to convince you to download a file and run it on your computer (at which time they have full control of your system), or they may play the “I refunded you too much money” game and demand the money back immediately in gift cards. CNET Money actually has a good video on this. While it dates from 2021, the scams mentioned and variations on them, are still being pushed because people fall for them.

That’s all I have for you this newsletter. Please complete your cybersecurity awareness training as soon as possible. Keep your eyes open, take a deep breath before attempting to respond to an “urgent” email or text, and be sure to report phishing emails, report and block phone numbers sending malicious texts, and block phone numbers that make “phishy” calls AND report those to the FTC.

All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.

Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.

Food For Thought

My food for thought today is a short video about something that bugged me when I was growing up and that I thought I completely understood, but I still learned when I watched it. Your mileage my vary…

Featured Image: Photo by Le Vu on Unsplash

(Visited 51 times, 51 visits today)
Post Views: 42

Leave a Reply

Your email address will not be published. Required fields are marked *