Share:

Cybersecurity awareness: Have you been phished?

by Elizabeth Jenike, IT Services

As National Cyber Security Awareness Month continues, this week we’re talking about a subject you can never learn too much about: phishing.

Each year, Miami sees 1,000 compromised email accounts. This means 1,000 times a year—nearly three times a day—malicious actors successfully gain access to people’s accounts and install malware or scam account holders out of money by having them click unsafe links. We block even more attacks than that—according to our network security engineers, we block around 24,000 hits to the network per day. This number represents not only phishing attempts, but security risks in general.

Purple betta fish

For examples of what phishing looks like on Miami systems, please read our most recent articles warning against specific emails received by Miami employees this semester.

One of the most devastating forms of phishing is called the business email compromise (BEC). This is a social engineering tactic wherein hackers target high-level employees with access to financial information. They often spoof the email of a high-ranking person in the company (think CIO or CFO) and write emails asking the finance department to transfer money to various fraudulent accounts. The unsuspecting employees, thinking the email is coming from the C-suite, oblige. In July, the Federal Bureau of Investigation (FBI) reported that $12.5 billion had been lost to BEC just this year.

What are we doing to combat phishing at an organizational level? What can you do as an individual to ensure your own private security? Here are some ways we can work together to keep the hackers out of your inbox:

Security Awareness training

SANS logo

This past spring, IT Services instituted university-wide mandatory annual security awareness training. One of the modules of this training teaches the user about phishing and how to spot a scam email when you get one.

Here are a few takeaways:

  1. Hover over links in suspicious messages. Often, the link preview will show a different URL than the one stated in the message, with sometimes random-seeming numbers and letters in place of actual words in the link.
  2. Check to see where the message is coming from. For instance, if the message purports to be from President Crawford, but it’s using a Hotmail domain, that’s a clear indicator that President Crawford didn’t send you this email.
  3. Take stock of what the email is asking you to do. Phishing scams sometimes involve malicious actors asking for personal information (PI), but more quietly nefarious messages may simply say, “How are you?” with no context at all. (For an example of this, please see this phishing attempt from earlier this semester.)

Multi-factor authentication

Two Factor Graphic

We know the importance of having a strong password. Complicated passphrases can help deter hackers and keep them out of your account. However, in the event that someone is able to guess or brute force a password, it’s a good idea to have a second wall in place. That’s where multi-factor authentication (MFA) comes in.

MFA provides additional hurdles for hackers to surmount and essentially eradicates the existence of compromised accounts.

The good news for Miami users is that IT Services is working on protecting all of our systems with MFA. On December 19, 2018, IT Services will be mandating two-factor authentication for the entire University. Miami resources (e.g., BannerWeb, Miami Mail, myMiami, Canvas, etc.) will be blanketed by an extra layer of protection. This will virtually eliminate phishing—including (and especially) BEC—and will allow us to better safeguard our systems.

Constant vigilance

Above all else, educate yourself about phishing: what it looks like, what kinds of messages you can expect to receive.

If you receive an email that seems suspicious (the links don’t go to legitimate websites when you mouse over them, the email address doesn’t come from the Miami domain, etc.) please forward it to InfoSec@MiamiOH.edu. The Security, Compliance, and Risk Management team can take a look and determine legitimacy—and block links from the Miami network where necessary.

Act now! Tech fee proposals due

This is the last week we will be taking proposal applications for the 2018-19 Tech Fee competitive bid process. Proposals are due by the end of the day on Friday, October 12. The form to apply for competitive Tech Fee funding is available at the Tech Fee website.

Since 2009, Miami faculty, staff and students have developed innovative and exciting projects with around $5 million of awarded funds. The projects help students in and out of the classroom through the use of technology.

This year, a total of $525,000 in tech fee funding is available to fund projects that help students in and out of the classroom through the use of technology. Committee members are looking for innovative or significant ideas that clearly benefit students. The guidelines define “significant” in two ways: impacting a large number of students or having a deep impact on a smaller number.

For more information and to submit a proposal, visit the Tech Fee website: MiamiOH.edu/TechFee.