Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally. https://www.cisa.gov/cybersecurity-awareness-month This year, we will focus on four key behaviors which allow users to feel empowered to take responsibility for personal data safety online. WEEK 3 – Recognizing Phishing and Malicious Emails With the increased use of online resources to conduct school and work, phishing messages are a common occurrence in today’s world. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages in an attempt to get individuals to disclose sensitive information. While not every unsolicited email is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it's legitimate. According to the Verizon Data Breach Report, phishing attacks account for more than 80% of reported security incidents. Identifying malicious emails Be on the lookout for the following characteristics that can help you identify phishing messages: * Unsolicited. Be cautious of emails that you were not expecting to receive. * Too good to be true. If it sounds too good to be true, it probably is. Part-time job scams often offer to pay an exorbitant amount of money for a simple task. * Asking for personal or financial information. Report emails asking for personal information. * Deceptive web links. Hover your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it. * Variations of legitimate addresses. For example, an email address ending in @ohio-edu.org instead of @ohio.edu. * Fake senders address. Click the sender's name to view the email address. * Requesting urgency. The intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements. * Fraudulent sites often don't start with HTTPS. The "s" stands for secure. Never sign in to websites that are not using HTTPS. * Misspelled words and bad grammar. Phishing emails often contain misspellings and grammar issues. Types of phishing messages * Email impersonation or spoofing is a forgery of a message so it appears to have originated from a legitimate sender. This is a popular tactic by attackers since the recipient is more likely to open a message from a familiar source. These attacks often turn into gift card scams where the attacker influences the individual to buy gift cards. * Part-time job scams often target college students or alumni who may be searching for job opportunities. These scams are fake job offers that are usually too good to be true, offering high wages for little work. Be wary of any unsolicited emails with this characteristic, especially ones that send a check prior to you beginning any work. The scammer often will request you to wire a portion of the check back to them, and you will lose that amount of money. * Emails tagged as malware have been identified to contain a link or an attachment that directs your machine to install malicious software. Generally, malicious software can delete or steal personal information, slow down your computer, encrypt your files and hold them for ransom, or display unwanted advertisements. * Extortion email messages threaten the recipient and demand a payment, often in the form of a cryptocurrency like Bitcoin. A popular extortion category is known as sextortion, where the attacker will claim they have malware installed on your computer that captured embarrassing photos of you. Attackers may also leverage previously breached credentials for services tied to your email address to provide a level of authenticity to their message. * Vishing is a type of social engineering attempt that takes place over the phone. A random number or spoofed phone number calls and a bad actor attempts to collect valuable personal information by claiming they are a debt collector or other type of customer service representative. Additional Information: https://www.ohio.edu/oit/security/cybersecurity-awareness-month/phishing CORSA University: https://corsa.localgovu.com Course Name: Protection from Ransomware and Phishing Attacks Also see attachment. James Hale, ARM-P, ARM-E, CPSI Risk Control Consultant County Risk Sharing Authority 209 East State Street Columbus, OH 43215 614.246.1630 FAX 614.220.0209 “ The leader in providing Ohio Counties with exceptional value, service, and protection of assets.” [cid:image001.png@01D8E20C.59AA7D60] CONFIDENTIALITY NOTICE: This e-mail message (including any attachments) is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy this message and all attachments.
