Security Matters: Phishing

California Community Colleges Information Security CenterIf you’re not familiar with the term phishing, it is an attempt to fraudulently obtain sensitive information such as account login and passwords, Social Security numbers, credit card numbers, account numbers, etc.

The most common form of phishing is through the use of email, but it can also happen over the phone. Phishing has become one of the most – if not the most – common ways criminals obtain sensitive information. As IT departments have locked down computer systems, attackers have found that humans are often the weakest link in the security chain. Why spend hours trying to find a way to break into a computer when you can just ask the human using it to provide the information you want?

The common thread in phishing is the attackers will try and come up with a believable scenario and ask you to do something. This may be as simple as them emailing you a link asking you to reset your email password, and when you click on the link you go to a website that looks just like the real one. Except it isn’t.

Cloning a website has become an easy process for an attacker to do. There are easily obtainable tools to copy websites, for example gmail.com. Some techniques even forward you on to the real website so you don’t become suspicious when your login doesn’t work.

Sophisticated Attacks

Unfortunately, there isn’t an easy solution to this problem. As time has gone on the attacks have become more and more sophisticated. Long gone are the days when phishing attempts used poor grammar and punctuation, which served as a red flag to alert you that something wasn’t quite right about that email asking you to reset your bank account password.

Now, we see ever more sophisticated and pointed attacks, often referred to as spear phishing. The attacker will find out the names of the most important individuals, the college president for example. They will then find who reports to these executives and impersonate them with requests.

An example of a college that fell prey to this scheme involved an attacker that impersonated the president. They asked an employee in payroll to send them the W2s of the college’s employees so they could review them. The employee, not wanting to question or upset who they perceived as their superior, complied with the request, and sent the attacker copies of the employees’ W2s.

Security Awareness Training

There is help. The California Community Colleges (CCC) Information Security Center offers free online Security Awareness Training for all employees of the CCC, and phishing awareness is part of this training. You can sign up for the training at our website.

In general, though, here are some tips to avoid being the victim of phishing scams:

  • An IT department should never ask you to reset your password through email.

  • An IT department should never ask you for your password over the phone.

  • You should never send any sensitive information through regular email. This includes Social Security numbers, credit card numbers, account numbers, and any documents that include these. Email is not encrypted and should never be used to send and receive such sensitive information.

  • Don’t open documents you are not expecting to receive, and if you are ever asked to enable macros after opening a document don’t do it. This is a common way an attacker will try and infect your computer with malware.

  • Never go to your bank’s website by clicking on a link from an email, as it may be fraudulent.

  • If you receive a message that doesn’t look right to you, report it to your local IT department.

Jeff Holden is the Chief Information Security Officer
of the California Community Colleges Information Security Center

 

Add comment