Cybersecurity Awareness: Are you a potential victim?
The University of Nevada, Reno Information Security team believes that the key to having a safe and secure computing environment involves keeping users well informed and aware of some of the common pitfalls which can leave them vulnerable to security threats. Communication between University faculty, staff, and OIT is essential to keep the integrity of all University assets safe, such as regulated student health information and research data. To this end, Information Security has kicked off a Cybersecurity Awareness Campaign which promotes transparent and open communication between all University of Nevada, Reno users and the Office of Information Technology.
One of the most common threat vectors is through malicious email. You are likely familiar with spam messages which contain unsolicited attempts to contact you, much like the junk messages you receive by postal mail. A much bigger concern is a type of malicious email called phishing, which is sent to a user with the intent to compromise their email account and steal their personal information. In some cases, attackers use the email account information gathered from phishing attacks to inundate potential victim email accounts with more phishing emails. You can report phishing emails by forwarding them to email@example.com.
Spear Phishing and Social Engineering
There are also tailored attacks, called spear phishing, where the malicious actor creates specialized phishing emails that target a specific audience. Spear phishing emails are much harder to recognize because the email appears to be more realistic than a normal phishing one. The malicious actors use social engineering in hopes of tricking their potential victims into giving away personal information, and in some cases tricking them into giving away funds. An example of a spear phishing attack would be an email appearing to be sent from the President of the University requesting that an invoice is paid immediately. Since the University is a public institution, it can be quite simple for malicious actors to find any preliminary information they need to initiate an attack. In these types of situations where it appears an email is coming from a colleague, it is important to take the time to call your colleague to ensure the email is legitimate. These types of phishing emails that are appearing to be coming from internal email addresses are a common trend we see at the University.
What is concerning about phishing attacks is that anyone can be a victim of these emails, even those who are tech savvy and know the potential to receive them is very high. Phishing attacks are not static; they evolve with time to increase their success rate. Information Security and Information Technology faculty and staff are not excluded from these potential threats. Anyone who is not paying close attention can fall for a phishing email, especially if it well thought out and crafted specifically for their target audience.
Being proactive against threats with adequate software and training
While it can be very inconvenient to deal with lockouts and password changes for your work accounts, an often-overlooked ramification of falling victim to a phishing attack is the fact that any personal information in your email account could have been accessed by the attacker. It is highly recommended that victims of phishing attacks invest in identity theft protection and credit monitoring as a precaution to ensure that they are well-defended against future attempts to use their personal information in an unauthorized manner. The Information Security team at the University of Nevada, Reno prevents hundreds of phishing attacks per day. Because of the threat of phishing attacks, users need to be prepared and aware because they are the last line of defense.
In order to keep information safe, Information Security at the University continues to provide and implement software and tools that will further protect users. An example of this would be multi-factor authentication. Multi-Factor authentication is what you experience when logging in to Workday from off-campus, you must verify your credentials twice before being allowed on the system. This process makes it more difficult for malicious actors to steal your information and use it to their advantage.
In addition, InfoSec offers security awareness training, which educates users on common tactics malicious actors use. The Office of Information Technology is offering security awareness training at no charge for any faculty or staff at the University with a NetID and institutional email address or a NetID and valid Gmail account for student employees. To sign up for training, please send an email to firstname.lastname@example.org or self-enroll in courses by logging in to our training site.