Cybersecurity: Fight the phish
Do Your Part. #BeCyberSmart.
October 14, 2021
Have you ever received an email out of nowhere from someone you knew asking you to buy gift cards? Or a message from an unnamed administrator saying your account is going to be deleted if you don’t renew your information? In today’s digital age, cyber attackers commonly try to pretend to be someone you know or trust in order to convince you to hand over important information. In fact, phishing attacks and scams have thrived since the Covid-19 pandemic began. According to the 2021 Verizon Data Breach Investigations Report, phishing attacks were involved in 36% of all 2020 breaches, up from 25% the year before. More than ever, it’s important to be wary of unexpected or unsolicited emails, text messages or chat boxes.
Here are some tips to keep yourself safe and fight the phish:
- Verify the sender’s address. It isn’t enough to see a familiar name in the “from” field. Look closely at the email address that the message was sent from. If the message is a fake, instead of seeing “firstname.lastname@example.org,” you might instead see something like “email@example.com.” If the attack is targeted, you might even see “firstname.lastname@example.org.” For text messages, verify that the account sending messages to you matches the one in your contacts. If the message didn’t come from an account you know and recognize, you’re likely being lured into a scam.
- Verify MSU Denver’s external email flags. If you receive an email with the flag “[EXTERNAL]” at the beginning of the subject line, MSU Denver’s email system is alerting you that this message came from outside of the University. Such emails will also have the following text at the beginning of the body: “NOTICE: This message originated from outside the University. Please exercise caution when replying or opening links and attachments.” If you see these flags, examine the email carefully, especially if it’s claiming to come from someone within the University.
- Don’t rely on email. Even if the message you received is from a legitimate sender, don’t forget that email accounts belonging to others can become compromised. If the request from the sender doesn’t seem normal, don’t be afraid to respond via other means, such as a call or text. Having a quick conversation could save you from sending your or your organization’s hard-earned money to a scammer.
- Be especially cautious while on the go. Research points to users being significantly
more susceptible to phishing and other social attacks that they receive on mobile devices. Mobile interfaces have been designed to make taking action (accepting, replying, sending, liking and so on) easy, while the limited browser functionality, data availability and even screen space of mobile devices can make scrutinizing any message difficult or tedious. On top of that, users interacting with mobile devices are often engaged in any number of other activities that can interfere with their ability to pay careful attention to incoming information. Before providing any information, make sure you can give such requests the attention they deserve.
- Vet the sender. If, for whatever reason, you’re not comfortable reaching out to a sender by phone or text, don’t be afraid to respond with questions he or she should know. “Which meeting are you at?” or “What is my extension?” could work. Again, for the sake of you and your organization, it’s worth taking the time make sure you know who you’re talking to.
- Forward suspicious messages. If you’ve identified an illegitimate message, or if you can’t verify it yourself, please forward it to email@example.com. The MSU Denver IT Security Team regularly investigates all messages sent to this address for legitimacy and can use that information to better safeguard the University by proactively blocking unsafe addresses, websites and attachments.
Social engineering techniques often rely on people’s desire to be helpful and cooperative, but remember, being professional and following protocol doesn’t mean being unhelpful. Verifying someone’s identity or calling someone back rarely takes long, and anyone who works at the University will understand the need to follow security policies and practices.
This is part of a series of articles for Cybersecurity Awareness Month 2021. To learn more about Cybersecurity Awareness Month and cybersecurity in general, visit staysafeonline.org or cisa.gov for resources and information.
Thank you for helping keep MSU Denver safe and cyber-secure. If you have any questions or concerns, please contact the ITS Service Desk at 303-352-7548 or support.msudenver.edu.
Next time: Cybersecurity Training
Topics: ITS, Technically Speaking, TechnologyEdit this page