Miami Moment goes behind the IT firewall

Brian Henebry and Joe Bazeley

Brian Henebry (left) and Joe Bazeley

written by Carole Johnson, university news and communications

Yes. I got phished. Surprised by how easily I fell for the email scam, I asked Joe Bazeley and Brian Henebry from IT services about the latest defenses against technology dangers.

Q: It seems like this fall, Miami email users are seeing an increase in scams. Am I correct?
A:  These scams are cyclical, and yes, we appear to be in an upscale period for both email phishing and phone scams. The core problem is that email was not written with security in mind when developed in the late ‘60s and early ‘70s.  Email systems trust information they receive without validating it, making it easy to spoof.  Similar problems exist with phone caller ID. We trust the number displayed on our mobile phone is from someone we know, but that information can also be spoofed. Bottom line: People figured out how to make money by tricking us to get into our systems.

Q: How do they make money?
A: They get credit card numbers, social security numbers, user names and passwords. They even convince people to purchase gift cards, such as to Kroger, for charity causes. The unsuspecting person provides the gift card information, and the scam artist turns around and sells it online for a profit. Hackers are getting smarter and making it easier to fall prey.  They like to exploit existing relationships that you have. So when they compromise one account, they will often send out a similar message to everyone in that user’s address book. They are hoping that the recipient will click the malicious link because they trust the sender.  

Q: Yes, the email told me to click on a Google.doc link to view documents, but when I did, the link was faulty. How do we protect ourselves from what seems normal?
A: Several things you can do. First, check the wording. In your case, the email was typed in all caps and was worded strangely. Second, using your mouse, hover the curser over the email without clicking. It will show the website address associated with that link so you can determine if it is legitimate. Unfortunately, on mobile devices like the Ipad and cell phones, this option is not available. Avoid clicking on the email until you are at a desktop or laptop computer.  You can also call the sender to ask them if they sent you the message.  If you still aren’t sure, you can send the message to InfoSec@MiamiOH.edu.  If you do type your password into a malicious site, immediately go to Miami’s website at https://miamioh.edu/password and change your password.

Q: How does Miami’s firewall protect employees and the university?
A: To be clear, the firewall does not inspect email. Miami’s email is provided through an outside source, Google. Google has spam filters that take care of some bad email, but not all. Miami’s firewall protects our network services. You can think of it like a border crossing in a country. Network traffic from the Internet (another country) wants to enter the Miami network (our country). The firewall decides whether or not to let it in based on its source address, destination address and a few other details (like having your passport checked). It protects unwanted visitors from trying to obtain information from sensitive Miami systems like Banner. Miami also has two-factor authentication for some systems. This process provides another wall of protection for employees entering grades, accessing their tax forms or changing their direct deposit information.

Q:  Mac or PC, it seems it doesn’t matter what you use, scams are finding us. What other dangers lurk in the Internet world?
A: Watch out for cryptolocker, a nasty piece of software. If you are tricked into downloading this software, it gets into your important files and encrypts them so you cannot access them.  The perpetrator then demands that you pay to decrypt those files.  Many small businesses fall prey to this.  We are seeing more and more students and employees downloading malicious software. The software asks for administrator rights, which allows the software to take control of the system. Remember, a well-educated user can identify and stop any of these scams.
Joe Bazeley is assistant vice president of security, compliance and risk management. Brian Henebry is associate director of enterprise systems operations.

How savvy are you at spotting email phishing scams? Take the McAfee Phishing Quiz.