The office of Technology Support Services at Wilson Community College takes cyberthreats seriously and utilizes a multi-layered approach to protect college resources and data from unauthorized access and malicious attacks. However, it is the responsibility of everyone to educate themselves and be proactive in recognizing and avoiding cybersecurity threats.
Cyberthreat – The possibility of a malicious attempt to damage or disrupt a computer network or system.
Malware – Short for “malicious software,” malware refers to software programs designed to damage or do other unwanted actions on a computer system. Malware examples are viruses, worms, Trojan horses and spyware. Viruses can delete files or directory information on a computers hard drive. Spyware can gather data from a user’s system.
Ransomware – Ransomware is a form of malware that threatens to publish the victims data or perpetually block access to it unless a ransom is paid.
Social Engineering – It is an attack that relies on human interaction to trick users into breaking security procedures to gain sensitive information that is typically protected.
The prevalence of phishing scams is at an all-time high. You are the key to preventing a cyberattack within our organization, it is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about the content and body of the email that may help you realize that you are being phished.
Review the content of the email.
- Is the sender asking me to click on a link or open an attachment to avoid a negative consequence, or to gain something of value?
- Is the email out of the ordinary, or does it have bad grammar or spelling errors?
- Is the sender asking me to click a link or open up an attachment that seems odd or illogical?
- Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link?
- Is the email asking me to look at a compromising or embarrassing picture of myself or someone I know?
If you notice anything about the email that alarms you, do not click links, open attachments, or reply.
You may already be aware that you should not open email attachments with an extension such as “.exe”, but did you know that even PDFs or Word Documents can be rendered unsafe to open? Opening these attachments from senders with malicious intent can cause your computer (and any networks to which you are connected) to be compromised, hacked or even riddled with ransomware.
What are the unsafe file types to look out for? This question is better answered by listing file types that are generally considered to be safe to open. The truth is that almost all file types are at risk of being “booby-trapped” to attack your computer or device.
The general rule is to NEVER open an email attachment if you do not know who it came from or why you received it.
How can I tell if an attachment is safe to open?
- Ask yourself: Was I expecting to receive this attachment, and did it come from who I would expect it to come from? Check email addresses for any “red flags” that may indicate the email address has been spoofed or faked.
- Never open an email attachment if you don’t recognize the sender that it came from.
- If you recognize the person or email address sending you the file, but it was still unexpected, contact them first through a different form of communication (such as by phone) to ask them if they intended to send you the file.
NEVER OPEN or CLICK LINKS from any email you do not recognize. Delete any suspicious or questionable emails immediately. If you recognize the sender, but a link or attachment seems questionable, contact the sender to verify the validity of the link or attachment PRIOR to clicking or opening anything. If you are unsure of how to proceed, please notify Technology Support Services right away.
HTTPS: The 'S' stands for Secure
If you have ever signed in to a website such as Facebook or Amazon, you will notice that on the login page, the URL will change from ‘http’ to ‘https’.
What that little ‘s’ stands for is secure. It means that your web browser and the website have both agreed to communicate securely so that no other individuals will be able to ‘listen in’ on your conversation.
If you needed to communicate some sensitive information such as a password to someone else, you would not shout out in the open ‘HERE IS MY PASSWORD’.
Typing sensitive information into a browser when the URL does not have https, is like shouting out that information for others to hear.
Just remember to look for that little important ‘s’ when transmitting any sensitive information through a web browser
Links/Attachments Red Flags
The prevalence of phishing scams is at an all-time high. Because you are the key to preventing a cyberattack within your organization, it is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about any links or attachments on the email that may help you realize that you are being phished.
|Are there hyperlinks in the email?|
- Hover over any links and check the link address. Does it match the website for the sender exactly?
- Did you receive a blank email with long hyperlinks and no further information or context?
- Does the email contain a hyperlink that has a misspelling of a well-known website? (Such as Microsoft)
- Is the sender’s email from a suspicious external domain? (like micorsoft-support.com rather than microsoft.com)
|What about attachments?|
- Did the sender include an email attachment that you were not expecting or that makes no sense in relation to the email’s context?
- Does the sender ordinarily send you these types of attachments?
- Did the sender send an email with a possibly dangerous file type? Files with a .TXT extension are typically safe, but beware, files can be disguised with a different type of file extension.
If you notice anything about the email that alarms you, do not click links, open attachments, or reply. You are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible.
Proper Workstation Use
Personal pictures, social networking, online banking are all services that you should not do, or be logged in to on your work computer.
Work computers are for work, visiting work-related websites, researching, emailing, generating Powerpoint slideshows, and other work-related actions. Much like posts to social networking sites, everything you say or do can be used against you.
Acceptable Use Policy
Most organizations have a ‘workstation acceptable use policy’ that explains the proper use of your work computer. If your organization has this type of policy, make sure you take the time to read it. All of the things you do on your work computer such as, visiting websites, how much time is spent on Facebook, playing solitaire, using instant messenger chat, can be monitored and logged. Think about what you’re doing, anything you post on the internet is there forever.
Be safe online
When it comes to visiting websites or opening personal emails, those actions can affect your work computer and other work computers in your organization.
If you happen to visit a site that has malware, you may now have exposed the rest of the company to a malware infection.
Try to be aware that you are using a computer that is not yours, the things you do on that computer are not private and could have an impact on your entire company.
Security Awareness Training
All employees are encouraged to complete security awareness training upon starting employment. This training is delivered through the security training provider KnowBe4.
To access security awareness training, contact Technology Support Services at email@example.com.
Security Hints & Tips
Learning how to identify suspicious emails is essential to keeping your organization safe from cybercriminals. But did you know that mishandling a phishing attack could be just as dangerous as falling victim to one?
Here are some examples of what NOT to do when you receive a suspicious email:
Do not reply to the email for verification.
If you receive a suspicious email that appears to be from someone you know, you may be tempted to investigate further. Replying to the email with questions like, “Have you been hacked?” or “Is this attachment safe?” only increases the security risk. If an email account has been compromised, the person who replies back to your question probably won’t be who you expect. You could be communicating with a cybercriminal in disguise.
Do not forward the email to someone else.
The best practice is to never click a link or open an attachment that you were not expecting. But if you are fooled by a phishing email and you click a malicious link or open a malicious attachment, you may find that the link or attachment will not behave as expected. For example, after you open what appeared to be an image attachment, the file may open an installer window instead. Another example is when a malicious link redirects you to an unrelated login page.
If you see the unusual behavior of a malicious link or attachment, you may think about forwarding the email to a coworker for help. But, don’t do it! Whenever you click on a link or open an attachment, consider any unusual behavior as a red flag. Never forward unusual or suspicious emails to other users. If you forward a phishing email, you increase the risk of a security breach because it helps cybercriminals reach more potential victims.
Do not mark the email as spam.
First, let’s clarify the difference between spam and a phishing attack. Spam emails are typically annoying or unwanted advertisements. Spam is often unsolicited, but it is usually just a harmless attempt to sell you something. On the other hand, a phishing attack is a malicious email designed to look and feel like real correspondence. Phishing emails typically include a call to action such as clicking a link, opening an attachment, or even transferring money.
Marking an email as spam moves that email, and any other emails that you receive from that sender, to a different folder. This means moving a phishing email to spam would only hide the problem, not resolve it.
What should I do with a suspicious email?
The best way to handle a suspicious email is to notify your organization. If you report a suspicious email, your cybersecurity specialists can assess and mitigate the threat.
Here are some tips for reporting a suspicious email:
- Be sure to follow your organization’s process for reporting suspicious emails. Following cybersecurity protocols will help keep everyone’s information safe.
- If you don’t know how to report the email, leave it in your inbox and ask a manager or supervisor for help.
- If you’re not sure whether an email is spam or a phishing attack, report it and let the experts decide.
Social Media - Not Just for Socializing
|Social media offers cybercriminals ample opportunities to social engineer or manipulate people to their nefarious advantage. Many do not consider how much personal information is available online and waiting to be used against you.
Social media platforms are also a breeding ground for fake profile personas waiting to take advantage of you. For instance, LinkedIn has a professional influence unlike other social media sites, often making users less cautious when connecting with strangers. When people willingly make these connections under the assumption of making professional networking contacts, criminals can lure them into divulging personal details and direct them to malicious sites. Social Engineering is a never-ending weapon for cyber criminals and social media hands them most of the information they need for successful attacks.
Cybercriminals can use a quick company search on LinkedIn to find several contacts from a company, including information such as their job positions and email addresses. This quick search gives the attacker a new list of targets to familiarize themselves with for better spear-phishing attempts. If an attacker wanted to target you personally, they could easily find your favorite hobbies or activities from one or more of your social media profiles. They could then craft a relevant spear-phishing email or text message spoofed to look as if it is coming from a company or person that you commonly interact with. Always be aware of the information you share with the world, and be cautious of how that information can result in you, or your organization being more susceptible to a compromise.
Staying Safe Around Always-Listening Devices
With the overwhelming popularity of always-listening devices such as Alexa, Google Home, and smartphones, you’ve probably heard stories of these devices joining in on conversations without being prompted. Perhaps it’s even happened to you!
While this idea can be alarming and unsettling, there are ways to protect your private information, and conversations, from these always-listening devices. To help you stay safe from these devices, here are some tips:
- Review and delete voice recordings: Your device will store your search and activity history to create a customized experience for you. However, you can review and delete these recordings from the device of your choice in order to protect your privacy.
- Mute the microphone: You can mute your microphone to ensure that your device is not listening and recording when you are not using it. The recording capabilities will remain off until you turn them back on.
- Don’t link accounts with sensitive information to your device: If you have any accounts containing your sensitive information in them, it is best not to link those accounts to your device. This will keep your sensitive information secure from potential data breaches.
- Change the settings to automatically manage data stored by the device: Personally managing what data is being linked with your account will give you more control on the information that is being stored by your device and will save you time when deleting your history.
- Turn off your device when you’re away: When in doubt, turn it off. If your device does not have a power button, simply unplug it.
By creating a habit of unplugging and deleting voice recordings from these always-listening devices, you can help to make sure that there is an extra layer of protection between your always-listening device and your private information.
Steer Clear of Fake Login Pages
For cybercriminals, stealing your login information can be just as valuable as stealing your bank account information. If they gain access to your email and password, they may find clues in your account that they can use to create highly targeted phishing attacks against you, your organization, or your family. Once the hackers have your login information, the hackers can even sell it for payment.
How does it work?
A popular method used to steal your credentials is to use fake login pages to capture your login details. These types of attacks usually start with a phishing email that directs you to use a link in the email to “log in to your account”. The emails are usually authentic-looking and present a seemingly normal request. If you click this link, you’re brought to a login page that looks almost identical to the one you’re used to but is actually a fake page. Once you’ve entered your email and password on the fake page, you may be redirected to the real website–leaving you unaware that your login credentials were stolen.
How do I Spot a Fake Page?
As the first line of defense, always navigate to your account’s login page by typing the web address in your browser, or using a bookmark that you’ve saved–rather than clicking through links in an email. Also, be aware of the following tips to help you identify fake web pages:
- Pay attention to the address bar. To be on the safe side, make sure the website starts with https:// before entering any personal information.
- Check the domain name. Make sure that the website that you are on is correctly spelled and not mimicking a well known brand or company.
- Watch for poor grammar and spelling. An excess of spelling, punctuation, capitalization, and grammar mistakes can indicate that the website was put together fairly quickly with no regard for professionalism.
- Look for reliable contact information. If you can find another way to contact the brand or company, reach out to them to confirm the email is real.
Walk away from deals that are too good to be true. Some retailers will discount older merchandise but if the latest item is also heavily discounted, walk away. It’s probably too good to be true!
Top 5 Facebook Scams
Facebook now has over a Billion users, that’s a mind-boggling number of people who check their page regularly. The bad guys are irresistibly attracted to a population that large, and here are the Top 5 Scams they are trying to pull off every day of the year.
- Who Viewed Your Facebook Profile: This scam lures you with messages from friends or sometimes malicious ads on your wall to check who has looked at your profile. But when you click, your profile will be exposed to the scammer and worse things happen afterward.
- Fake Naked Videos: There are tons of fake naked videos being posted all the time using the names of celebrities like Rihanna or Taylor Swift that sometimes make it past the Facebook moderators. These scams are in the form of an ad or a post and have a link to bogus YouTube videos. That site then claims your Adobe Flash player is broken and you need to update it – but malware is installed instead!
- Viral Videos: Viral videos are huge on social media platforms. If you click on one of these “videos” you’ll be asked to update your video player (similar to the scam above) but a virus will be downloaded and installed instead. To avoid this, type the name of the video into Google and if it doesn’t have a YouTube or other legitimate site link, it’s likely a scam.
- Fake Profile Scam: Scammers are stealing the name and pictures from an existing profile and “friending” the real person’s friends in efforts to scam friends and family by faking an emergency. Be very cautious of accepting friend requests from someone you’re already friends with.
- Romance Scams: A specific type of “Fake Profile Scam” where con artists create a fake profile using the photos and stories of another person, and then develop “relationships” with their victims over posts, photos, and Facebook messenger. These scammers typically shower you with romantic language, promise happiness, and eventually con you into giving up personal information, or even money. Avoid personal and financial heartbreak, don’t “friend” people you don’t know in real life.
Facebook is used for connecting with people you know. Be especially cautious of “friending” strangers, and of clicking on links in suspicious posts, and in messages. Stay away from these traps if you want to avoid giving away personal information or getting your PC infected with malware.
These are just a few of the common cyberthreats that may occur. While some of us may not experience these types of attacks, it is important that we are reminded that they are real and that they do occur on our campus.
Do your part by not responding to any email requests asking you to click on a link that appears to be suspicious or asks you for personal or financial information. If you are unsure about an email contact Technology Support Services immediately.
For more information contact:
Department: Information Technology
Phone: (252) 246-1224