October is Cybersecurity Awareness Month, with 2022 marking the 19th such occasion. Throughout October, the CNYRIC will be shining the spotlight on a variety of cybersecurity awareness topics, in the pursuit of stronger everyday practices that will help empower employees to make smarter, safer decisions to protect themselves, their organization, and our school districts.
You may have heard the word on more than one occasion in the information technology context: Phishing. It obviously sounds like the hobby favored by sportsmen, but it’s spelled differently. What is phishing? Does it have any similarity to the hobby?
Phishing for Credentials
Phishing actually does share some thematic similarity with the rod and line. Phishing refers to any attempt made by cybercriminals to attempt to get you to click on a malicious link or download a malicious attachment, which would allow them to obtain your credentials or, maybe more disastrously, gain access to your organization’s sensitive data and information. The long and short of it: Phishing attempts are made to gain your personal information, gain access to your organization’s sensitive data, or both.
Video credit: National Cybersecurity Alliance
That Sounds Bad. What Can I Do?
Much in the same way that setting a strong password or passphrase is the first line of defense against some cybercriminal attempts, your first line of defense against phishing attacks is to know what to look out for in your email inbox. This task is becoming more difficult than it’s been in years past, but a keen eye can find the tells! In particular, keep these thoughts in mind:
Alright, I Didn’t Click on Anything. So What Should I Do?
You’ve already passed the critically important first test: You didn’t click on any links contained in the message, and certainly didn’t provide your credentials to anybody. Now, you should immediately report the email to the information technology professionals in your organization, and follow their instructions from there. Failing that (or if using a personal email account at home), just delete the email, or report it to your email provider if that feature is available.
Of course, many of these problems can be stopped by effective spam-blocking software such as Mimecast before it even gets to your inbox. To learn more about how the CNYRIC (and Mimecast) can help your district learn how to combat phishing attempts, please call Steven Tryon at 315.433.2280, or reach him by email.
Other Cybersecurity Awareness Month Features:
Week 1 - MFA | Week 2: Strong Passwords
You may have heard the word on more than one occasion in the information technology context: Phishing. It obviously sounds like the hobby favored by sportsmen, but it’s spelled differently. What is phishing? Does it have any similarity to the hobby?
Phishing for Credentials
Phishing actually does share some thematic similarity with the rod and line. Phishing refers to any attempt made by cybercriminals to attempt to get you to click on a malicious link or download a malicious attachment, which would allow them to obtain your credentials or, maybe more disastrously, gain access to your organization’s sensitive data and information. The long and short of it: Phishing attempts are made to gain your personal information, gain access to your organization’s sensitive data, or both.
Video credit: National Cybersecurity Alliance
That Sounds Bad. What Can I Do?
Much in the same way that setting a strong password or passphrase is the first line of defense against some cybercriminal attempts, your first line of defense against phishing attacks is to know what to look out for in your email inbox. This task is becoming more difficult than it’s been in years past, but a keen eye can find the tells! In particular, keep these thoughts in mind:
- Does this email feel legitimate? Do you recognize the individual or the organization that is attempting to contact you through your work email? If for whatever reason you don’t have a great spam blocker in place, just ask yourself: Should a department store be emailing me at work in regard to an online order? Or, in a scenario where you handle your organization’s supply orders: Did I even place an order from that retailer? Generally speaking, is this email coming from an expected source, or an entity that you recognize?
- If coming from an ostensibly professional or expected entity, why are so many of these words misspelled? Why is some of the font randomly boldface, or highlighted in red? Why does this logo look slightly “off”?
- Even if you recognize the source… does it sound like the source? Does it sound like any communication that you’ve had with this person or group before?
- Is the entity emailing you using hostile or threatening language? Or threatening monetary penalties or legal action? Chances are, higher-stakes scenarios like that (if even applicable) aren’t being handled through email at all, let alone through your work email.
- Is the email directly asking you to verify your credentials via a direct link, or through some attachment (such as a PDF) that feels a little unusual, or out-of-the-ordinary?
Alright, I Didn’t Click on Anything. So What Should I Do?
You’ve already passed the critically important first test: You didn’t click on any links contained in the message, and certainly didn’t provide your credentials to anybody. Now, you should immediately report the email to the information technology professionals in your organization, and follow their instructions from there. Failing that (or if using a personal email account at home), just delete the email, or report it to your email provider if that feature is available.
Of course, many of these problems can be stopped by effective spam-blocking software such as Mimecast before it even gets to your inbox. To learn more about how the CNYRIC (and Mimecast) can help your district learn how to combat phishing attempts, please call Steven Tryon at 315.433.2280, or reach him by email.
Other Cybersecurity Awareness Month Features:
Week 1 - MFA | Week 2: Strong Passwords
