Technology, Computer Services

AI

• Generative AI and Scams
  (Content courtesy of Fake Amazon calls and the use of generative AI highlight new phone scam report by Kurt Schlosser)

  Artificial intelligence (AI) has continued to make news on its ability to help in different industries. The article by Schlosser, explains how AI has helped in the phone fraud and spam industry. The article shows that there has been a decrease worldwide on phone scams, however, AI has helped scammers in making it more believable. The article explains that scammers can take a three-second clip of a person's voice and then the AI can use it as its own voice targeting family members or friends.

  In recent history, the holidays have always had an increase scam but may be heightened due the global circumstances. AI seems to be giving threat actors a variety of new tools to apply in their campaigns. It will be important for individuals to continue to be watchful for these campaigns.

  Here are some links for tips to protect yourself:

  • Tips to Avoid Scams – FBI
  • Avoid Scams – Los Angeles County Consumer and Business Affairs

Cybersecurity

• Cybersecurity Overview and Basics
  There has been a dramatic increase in the number of cybersecurity incidents reported since the start of the pandemic. On June 6, the University of California, San Francisco (UCSF) paid a ransom of $1.14 million to hackers to recover data from its School of Medicine that had been encrypted in a cyberattack. Similar attacks were carried out against Michigan State University and Columbia College, Chicago. In August, the University of Utah reported a payment of $457,000 to cybercriminals who held employee and student data for ransom.

  Cybercriminals often take advantage of poor security practices by employees in order to conduct their activities. Keenan and Associates has provided Citrus College with a series of online training courses that can improve your security awareness. Help keep the IT resources and sensitive data at the college safe by taking one (or all) of the following courses, available on the training calendar:

  • Cybersecurity Overview: This introductory course provides an overview of cybercrime and cybersecurity, including the basics of cybersecurity along with the effects of cybercrime, the types of cyber threats and how users are susceptible.
  • Browser Security Basics: This course provides all staff members with an overview of browser security and ways to browse the web safely. Topics include: the types of browser threats, the basics of browser security and safe browsing practices.
  • Password Security Basics: This course provides an overview of password security and management, including the basic principles of password security, the elements of a strong password, and strategies of how to create and maintain passwords.
  • Email and Messaging Safety: This course provides an overview of cybercrime via email, and how to employ safe email and messaging practices to avoid and help prevent cyber threats, attempts at fraud and identity theft.
  • Protection Against Malware: This course provides staff members with an overview of basic protection against malware. Topics include: the types of malware, how malware works and protective strategies.
  • Copyright Infringement: This course covers basic knowledge about copyright laws, print and audio materials, visual and multimedia materials, and the internet and digital media.
    
    

  Click this link to launch a curriculum containing all six of these courses.

• National Cybersecurity Awareness Month (NCSAM)
  NCSAM is spearheaded by the U.S. Department of Homeland Security and the National Cyber Security Alliance.
  

  It's everyone's job to ensure online safety at work. The lines between our work and daily lives are becoming increasingly blurred, and it is more important than ever to be certain that smart cybersecurity practices carry over between the two. When you are on the job, Citrus College's online security is a shared responsibility.

  Here are some simple steps that can make you safer and more secure at work and home:

  Keep security software current: Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.

  Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that's an available option.

  Protect all devices that connect to the Internet: Along with computers, smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.

  Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.

  Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, "I love country music."). On many sites, you can even use spaces!

  Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

  Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.

  When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.

  Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.

  Protect your $$: When banking and shopping, check to be sure the site is security enabled. Look for web addresses with "https://" or "shttp://", which means the site takes extra measures to help secure your information. "http://" is not secure.

• Cybersecurity
  (Content courtesy of the Educause Cybersecurity Resources)

  "The Internet is a powerful and useful tool, but in the same way that you shouldn't drive without buckling your seat belt or ride a bike without a helmet, you shouldn't venture online without taking some basic precautions."

  This is an important reminder from the National Cyber Security Alliance that cybersecurity is everyone's responsibility as an individual and a member of our ever-growing online community. Here are some tips to keep in mind as we work together to create a better, safer digital world for ourselves and others.

  • Own your online presence. To keep yourself safe, set privacy and security settings on web services, apps, and devices to your comfort level. You do not have to share everything with everyone. It is your choice to limit what (and with whom) you share personal information.
    
  • Be a good digital citizen. The things that you would not do in your physical life, do not do in your digital life. If you see crime online, report it the same way that you would in real life. Keep yourself safe and assist in keeping others safe on the Internet.
    
  • Respect yourself and others. Practice good netiquette, know the law, and do not do things that would cause others harm. The Golden Rule applies online, as well.
    
  • Practice good communication. Never send an e-mail typed in anger. Put it in your draft folder and wait. Keep in mind that digital communications do not give the reader the same visual or audio cues that speaking in person (or by video or phone) does.
    
  • Protect yourself and your information. Use complex passwords or passphrases, and don't reuse the same password or variations of a simple phrase phrase. Better yet, enable two-factor authentication or two-step verification whenever possible.
    
    
• Understanding the Basics of Online Safety and Security
  (Content courtesy of the EDUCAUSE Cybersecurity Program​)​

  Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.
  

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts' activities. These types of alerts are useful because they make you aware of what's going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don't use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider's servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here's another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it's likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.
    
    

  Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

Data

• Data Breaches
  All Citrus College staff and faculty have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.
  
  

  Here are some things you can do every day to protect our student data.

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don't hesitate - do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today's environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you've created by managing them all in one "vault" and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if it is lost or misplaced.
  • Understand where, how, and to whom you are sending data: Many breaches occur when we accidently post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Take care to know how you are transmitting or posting data.
    
    
• Data Privacy

  Everyone in our community is responsible for the protection of the privacy and personal information of our students and employees. Recommended best practices to ensure adequate protection of district restricted or sensitive information is described in Citrus College Administrative Procedure (AP) 3724. These recommendations are listed as follows:

  • Adopt "clean desk practices." Don't leave unattended paper documents containing restricted or sensitive information; protect them from the view of passers-by or office visitors. It is recommended that confidential documents contain a cover sheet. Close office doors when away from your office.
    
  • Add a "Confidential" watermark to a Word document.
    
  • Store paper documents containing restricted or sensitive information in locked files with a controlled key system (a list of individuals who have access should be documented) or an appropriately secured area.
    
  • Lock file cabinets containing restricted or sensitive information before leaving the office each day.
    
  • Do not leave the keys to file drawers containing restricted or sensitive information in unlocked desk drawers or other areas accessible to unauthorized staff.
    
  • Store paper documents that contain restricted or sensitive information in secure file cabinets. Keep copies in an alternate location.
    
  • Shred paper documents containing restricted and sensitive information when they are no longer needed, making sure that such documents are secured until shredding occurs. If a shredding service is employed, the service provider should have clearly defined procedures in the contractual agreement that protect discarded information, and ensure that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
    
  • Immediately retrieve or secure documents containing sensitive information as they are printed on copy machines, fax machines or printers. Double-check fax messages containing confidential information. Recheck the recipient's number before you hit 'Start.' Verify the security arrangements for a fax's receipt prior to sending. Verify that you are the intended recipient of faxes received on your machine. If you are not, contact the intended recipient and make arrangements for the proper dispatch of the fax.
    
  • Do not discuss sensitive information outside of the workplace or with anyone who does not have a specific "need to know." Be aware of the potential for others to overhear communications containing restricted or sensitive information in offices, on telephones, and in public places like elevators, restaurants, and sidewalks.
  • Ensure electronic equipment containing sensitive information is securely transferred or disposed of in a secure manner, per the district's Electronic Equipment Disposition Policy.
    
  • Immediately report theft of district electronic computing equipment to a supervisor or manager. Loss or suspected compromise of data containing sensitive information should be immediately reported to TeCS.
    
    
• Data Privacy

  The Internet is full of data about you. Whenever you play a game, shop, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.

  Similarly, the business of higher education requires us to collect, process, and store the digital information of others. Whenever we handle such information, we need to think about how we want our own information treated and treat other people's data with the same care and respect.

  Protect yourself by following these tips:

  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Administrative Procedure (AP) 3723 recognizes that authorized Citrus College officials may review or access the contents of e-mail for purposes related to the college business. Use an outside service for private emails. This also helps you ensure uninterrupted access to your private email and other services if you switch employers.
    
    

  Protect the information, identity, and privacy of others by following these tips:

  • Know what resources are available at Citrus College. Citrus College IT Security Analyst Ryan Tang can answer questions about information security best practices and the technologies available to protect online identity and the personal data. The training calendar also provides online self-guided tutorials on information security and privacy.
  • Know what policies are in place at your institution. A privacy policy governs how the institution collects, processes, stores, and deletes the personal data of constituents; a data classification policy governs how the institution organizes the data it interacts with and what rules are in place for processing it; and an information security policy articulates how the institution governs and prioritizes information security activities. At Citrus College, these policies can be found online in the 3000 series of board policies and administrative procedures.
  • Keep student and staff personal information confidential and limit access to the data.
  • Only use data for its intended purpose. If you need to use data for another reason, always check relevant resources and policies first for guidance.
  • Destroy or de-identify private information when you no longer need it.
    
    

Email

• Business Email Compromise Scam

  The business email compromise (BEC) scam has been attempted several times at Citrus College. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
  • A homebuyer receives a message from his title company with instructions on how to wire his down payment.
  • Versions of these scenarios happened to real victims. All the messages were fake. In each case, thousands or even hundreds of thousands of dollars were sent to criminals instead.
    
    

  How to Protect Yourself

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
  • Be especially wary if the requestor is pressing you to act quickly.
    
    

  For more information, view the FBI.gov Business Email Compromise website.

Mobile Devices

• Keeping Tabs on Mobile Devices
  (Content courtesy of the EDUCAUSE Cybersecurity Program​)

  With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer's operating system.
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you'll be able to identify and report exactly what information is at risk.
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. Do not choose options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer's hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don't forget to review an app's specifications and privacy permissions before installing it!
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.
    
    

  What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to Technology and Computer Services so that we can respond quickly to the incident.​
  

Passwords

• Your Passwords and You
  (Content courtesy of the Educause Cybersecurity Resources)
  

  Your passwords are the key to a host of information about you, and potentially those close to you. If someone can access your personal information, it can have serious long-term effects - and not just online! Follow these recommendations to protect your identity while making the Internet more secure for everyone:

  • Use a passphrase instead of a password. Passphrases are usually 16 characters or more and include a combination of words or short sentence that is easy to remember (e.g., MaryHadALittleLamb!)
  • Use a fingerprint or biometric requirement to sign in when available. This provides an extra layer of protection for devices and apps.
  • Request single-use authentication codes that can be sent to your phone or delivered by an app.
  • Take advantage of whatever multifactor authentication (MFA) methods are available for the applications you use.
  • Use a password manager or password vault software to help keep track of all your passwords and avoid password reuse.

​Phishing

• Protect Yourself from Phishing

  What is Phishing? According to Merriam Webster, phishing is "the practice of tricking Internet users (as through the use of deceptive email messages or websites) into revealing personal or confidential information which can then be used illicitly."

  Protecting Yourself: Phishing scams continue to get more sophisticated targeting different industries. Students and staff serve as a prime target as they receive correspondence providing opportunities, where some may be legitimate, and others are malicious.

  1. Verify the source: Always check the validity of the source. Some phishing emails "spoof" the sender's emails pretending to be something else or someone else.
  2. Verify the request: If there is a request for personal information, find a way to verify the legitimacy of the request. Checking with campus staff can help to see if the request is valid.
  3. Verify the content: Phishing emails often try to create the emotion of haste or fear. Verify the urgency emails and the content. You can check on campus if there is validity to those items.
  4. Check the links: Do not be quick to click the links on the email. Ensure the validity of the email prior to clicking on the links.
  5. Slow to open attachments: Be cautious with opening links to make sure it is from a legitimate source.
     
     

  Report Phishing: If you are suspect a phishing email, you can forward it to badmail@citruscollege.edu and you can mark it as phishing when you use Outlook.

  Other Resources
  Federal Trade Commission How to Recognize and Avoid Phishing Scams
  Cybersecurity and Infrastructure Security Agency – Avoiding Social Engineering and Phishing Attacks
  California Community Colleges Spear Phishing Attacks

• Phishing Attacks are Getting Trickier

  (Content courtesy of author Phil Hoffman of the SANS™ Institute OUCH! Newsletter)

  Phishing emails used to be easier to detect because they were generic messages sent out to millions of random people. Cyber attackers had no idea who would fall victim; they knew the more emails they sent, the more people they could trick.

  Today's cyber attackers are far more sophisticated. They now research their intended victims to create a more customized attack. Instead of sending out a phishing email to five million people, or appearing to be generic emails sent by corporations, they may send it to just five people and tailor the attack to appear to be sent from someone we know. Cyber attackers do this by:

  • researching our LinkedIn profiles, what we post on social media, or using publicly available information on the Dark Web. crafting messages that appear to come from management, coworkers, or vendors you know and work with.
  • learning your hobbies and sending a message to you pretending to be someone who shares a mutual interest.
  • determining if you have been to a recent conference or just returned from a trip, and then crafting an email referencing your travels. Cyber attackers are actively using other methods to send the same messages, such as texting you or even calling you directly by phone.
    
    

  Because cyber attackers are taking their time researching their intended victims, spotting these attacks can be more challenging. The good news is you can still spot them if you know what you want. Ask yourself the following questions before taking action on a suspicious message:

  • Does the message create a heightened sense of urgency? Are you being pressured to bypass your organization's security policies? Are you being rushed into making a mistake? The greater the pressure or sense of urgency, the more likely this is an attack.
  • Does the email or message make sense? Would the CEO of your company text you asking for help? Does your supervisor need you to rush out and buy gift cards? Why would your bank or credit card company be asking for personal information they should already have about you? The message may be an attack if it seems odd or out of place.
  • Are you receiving a work-related email from a trusted coworker or your supervisor, but the email uses a personal email address such as @gmail.com?
  • Did you receive an email or message from someone you know, but the wording, tone of voice, or signature is wrong and unusual?
    
    
  If a message seems odd or suspicious, it may be an attack. To confirm if an email or message is legitimate, one option is to call the individual or organization sending the message with a trusted phone number.

• How to Recognize and Avoid Phishing Scams

  (Content courtesy of Federal Trade Commission Consumer Advice)

  Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks like these every day — and they are often successful. The FBI's Internet Crime Complaint Center reported that people lost $57 million to phishing schemes in one year.

  Scammers often update their tactics, but some signs will help you recognize a phishing email or text message.

  Phishing emails and text messages may look like they are from a company you know or trust. They may look like they are from a bank, credit card company, social networking site, payment website or app, or store.

  Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may say they've noticed some suspicious activity or log-in attempts. Or

  • claim there's a problem with your account or your payment information.
  • say you must confirm some personal information.
  • include a fake invoice.
  • want you to click on a link to make a payment.
  • say you're eligible to register for a government refund.
  • offer a coupon for free stuff.
    
    

  The scammers who send emails like this do not have anything to do with the companies they pretend to be. Phishing emails can have real consequences for people who give scammers their information.

• Phishing Attacks
  (Courtesy of the Educause Cybersecurity Resources)

  Social engineering is at the heart of all phishing attacks, especially those conducted via e-mail. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an e-mail address can launch one.

  According to Verizon's Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you're up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk. At Citrus College, you can report these e-mails by forwarding them to badmail@citruscollege.edu.
  • Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
  • Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • ​Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.
    
    

Ransomware

• What is Ransomware?
  (Content courtesy of the Educause Cybersecurity Resources)

  Ransomware is a type of malicious software that encrypts your files. Often, the only way to decrypt and gain access to the files is by paying a "ransom" or fee to the attackers. Ransomware may spread to any shared networks or drives to which your devices are connected.

  How Can I Get Infected with Ransomware?
  Common vectors for ransomware attacks include e-mails with malicious attachments or links to malicious websites. It's also possible to get an infection through instant messaging or texts with malicious links. Antivirus may or may not detect a malicious attachment, so it's important for you to be vigilant.

  How Can I Protect Myself Against Ransomware?
  There are two steps to protection against ransomware:

  • Preparation. Back up your information regularly. Once a ransomware infection occurs, it's often too late to recover the encrypted information. Your research project or other important information may be lost permanently.
  • Identification. Ransomware typically appears as phishing e-mails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible vector is malver​tising, malicious advertising on an otherwise legitimate website.
    
    

  Probably the Most Important Steps You Can Take to Prepare

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (potentially including connected cloud drives such as Dropbox), it's important to back up your files regularly to a location that you're not continuously connected.
  • Ensure that you're able to restore files from your backups. Again, work with your IT support personnel to discuss how to test restore capabilities.
    
  • Ensure that you're keeping your system (and mobile devices) up to date with patches. If you're prompted by your computer or mobile device to accept updates, accept them at your earliest convenience.
    
  • Don't do day-to-day work using an administrator account. A successful ransomware attack will have the same permissions that you have when working. (If you're not using an account with administrator privileges, the initial attack may be foiled.)
    
    

  What Do I Do If I Think I'm Infected?

  • Report the ransomware attack to your service desk immediately.
    
  • Isolate or shut down the infected computer. (If you're on Wi-Fi, turn off the Wi-Fi. If you're plugged into the network, unplug the computer. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.)

Seasonal Scams

• IRS Tax Season Scams

  The Internal Revenue Service warns that the beginning of the new year is an opportune time for scammers to use e-mail, text messages and/or phone calls to defraud unsuspecting victims.

  "With filing season underway, this is a prime period for identity thieves to hit people with realistic-looking emails and texts about their tax returns and refunds," said IRS Commissioner Chuck Rettig. "Watching out for these common scams can keep people from becoming victims of identity theft and protect their sensitive personal information that can be used to file tax returns and steal refunds."

  Text Message Scams: Last year, there was an uptick in text messages that impersonated the IRS. These scams are sent to taxpayers' smartphones and have referenced COVID-19 and/or "stimulus payments." These messages often contain bogus links claiming to be IRS websites or other online tools. Other than IRS secure access, the IRS does not use text messages to discuss personal tax issues, such as those involving bills or refunds. The IRS also will not send taxpayers messages via social media platforms.

  Unemployment Fraud: As a new tax season begins, the IRS reminds workers to watch out for claims of unemployment or other benefit payments for which they never applied. States have experienced a surge in fraudulent unemployment claims filed by organized crime rings using stolen identities. Criminals are using these stolen identities to fraudulently collect benefits. You may have been the victim of identity theft if you have received mail or an IRS Form 1099-G regarding benefits you were not expecting.

  Email Phishing Scams: The IRS does not initiate contact with taxpayers by email to request personal or financial information. The IRS initiates most contacts through regular mail delivered by the United States Postal Service.

  Phone Scams: The IRS does not leave pre-recorded, urgent or threatening messages. In many variations of the phone scam, victims are told if they do not call back, a warrant will be issued for their arrest. Other verbal threats include law-enforcement agency intervention, deportation or revocation of licenses.

  For more information on common IRS-related scams, and how to protect yourself, see https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant

Social Engineering

• Social Engineering Explained
  (Content courtesy of the EDUCAUSE Cybersecurity Program​)

  Social engineering - manipulating people into doing what they want - is the most common way for cybercriminals to steal information and money. According to an article on Wired.com, between November 2017 and February 2019, six hundred and sixty (660) education-related institutions were targeted with a scam in which employees were tricked into purchasing gift cards and sending the codes to someone they wrongly assumed was a trusted authority.
  

  Social engineering is at the heart of all types of phishing attacks - those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:

  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted "very important person" (VIP) source. These messages will ask recipients to rush and bypass normal processes. Targets are those who can conduct financial transactions on behalf of the organization (sometimes called "whaling").
  • SMiShing: Literally, phishing attacks via short message service (SMS) or text messaging. These scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
  • Vishing: Voice phishing are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
    
    

  No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

  • Don't react to scare tactics: All of these attacks depend on scaring the recipient. Examples include notice that you are being sued; that your computer is full of viruses; or that you might miss out on a chance at a great interest rate. Don't fall for it!
  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website or support line. Don't trust people who contact you out of the blue claiming to represent your bank or an agency.
  • Know the signs: Does the message or phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!
    
    

  To help you more readily identify suspicious e-mails, our mail server will automatically add a "caution" or warning footer (in a yellow box) at the bottom of any e-mail that is sent from an external source. Take time to reach out to senders via phone or a new e-mail to confirm any unusual action requested of you.

• Social Engineering Scams
  Cybercriminals have learned that a successful way to take advantage of a victim is through social engineering. We've seen this recently at Citrus College. Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources.

  When someone you don't know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency.

  One common social-engineering scam is the gift-card scam. The attacker poses as a supervisor or manager (the impersonator). The impersonator will email the victim and begin a brief email exchange. The impersonator will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so, and will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the impersonator, the victim goes through with the purchase, spending hundreds or thousands of dollars.

  How do you avoid becoming a victim of these types of attacks? Ask yourself if the request makes sense. Check the email address of the sender. Does the sender's email address come from Citrus College? Is there a warning that the e-mail came from outside of the Citrus College e-mail system?

  Whenever you receive an "urgent" email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate. If something seems off to you, it probably is.

Travel

• Tech Security and Traveling
  (Content courtesy of the Educause Cybersecurity Resources)
  
  

  You may be planning a trip during spring break or the summer months. Unfortunately, traveling with devices can mean increased risks for keeping your personal data private as well as the potential for device theft.

  Protect your tech and data when traveling. Travel only with the data that you need; look at reducing the amount of digital information that you take with you. This may mean leaving some of your devices at home, using temporary devices, removing personal data from your devices, or shifting your data to a secure cloud service. Authorities or criminals can't search what you don't have.

  You may decide that inconvenience overrides risk and travel with electronic devices anyway. If this is the case, focus on protecting the information that you take with you. One of the best ways to do this is to use encryption. Make sure to fully encrypt your device and make a full backup of the data that you leave at home.

  Get your device travel ready
  

  • Change your passwords or passphrases before you go. Consider using a password manager if you don't use one already.
    
  • Set up multifactor authentication for your accounts whenever possible for an additional layer of security.
    
  • Delete apps you no longer use.
    
  • Update any software, including antivirus protection, to make sure you are running the most secure version available.
    
  • Turn off Wi-Fi and Bluetooth to avoid automatic connections.
    
  • Turn on "Find My [Device Name]" tracking and/or remote wiping options in case it is lost or stolen.
    
  • Charge your devices before you go.
    
  • Stay informed of TSA regulations and be sure to check with the State Department's website for any travel alerts or warnings concerning the specific countries you plan to visit, including any tech restrictions.
    
  • Clear your devices of any content that may be considered illegal or questionable in other countries, and verify whether the location you are traveling to has restrictions on encrypted digital content.
    
  • Don't overlook low-tech solutions:
    • Tape over the camera of your laptop or mobile device for privacy.
    • Use a privacy screen on your laptop to avoid people "shoulder surfing" for personal information.
    • Physically lock your devices and keep them on you whenever possible, or use a hotel safe.
    • Label all devices in case they get left behind!
      
      

  These guidelines are not foolproof, but security experts say every additional measure taken can help reduce the chances of cyber theft.​

Your Responsibility

• Be Diligent
  (Content courtesy of the Educause Cybersecurity Resources)

  With the threat of hacking, malware, phishing, and other digital threats constantly looming, it can be easy to overlook the importance of physical security. Here are some ways to improve the security of our technology resources and confidential data by securing our environment.

  • Prevent tailgating. In the physical security world, tailgating is when an unauthorized person follows someone into a restricted space. Be aware of anyone attempting to slip in behind you when entering an area with restricted access.
  • Don't offer piggyback rides. Like tailgating, piggybacking refers to an unauthorized person attempting to gain access to a restricted area by using social engineering techniques to convince the person with access to let them in. Confront unfamiliar faces! If you're uncomfortable confronting them, contact campus safety.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing away. Organizing campus-wide or smaller-scale shred days can be a fun way to motivate your community to properly dispose of paper waste.
  • Be smart about recycling or disposing of old computers and mobile devices. Make sure to properly destroy your computer's hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Lock your devices. Protecting your mobile devices and computers with a strong password or PIN provides an additional layer of protection to your data in the event of theft. Set your devices to lock after a short period of inactivity; lock your computer whenever you walk away. If possible, take your mobile devices and/or laptop with
    you. Don't leave them unattended, even for a minute!
    
  • Lock those doors and drawers. Stepping out of the room? Make sure you lock any drawers containing sensitive information and/or devices and lock the door behind you.
    
  • Encrypt sensitive information. Add an additional layer of protection to your files by using the built-in encryption tools included on your computer's operating system (e.g., BitLocker or FileVault).
    
  • Back up, back up, back up! Keeping only one copy of important files, especially on a location such as your computer's hard drive, is a disaster waiting to happen. Make sure your files will still be accessible in case they're stolen or lost by backing them up on a regular basis to multiple secure storage solutions.
    
  • Don't leave sensitive data in plain sight. Keeping sensitive documents or removable storage media on your desk, passwords taped to your monitor, or other sensitive information in visible locations puts the data at risk to be stolen by those who would do you or your institution harm. Keep it securely locked in your drawer when not in use.
    
  • Put the laptop in your trunk. Need to leave your laptop or other device in your car? Lock it in your trunk (before arriving at your destination). Don't invite criminals to break your car windows by leaving it on the seat.
    
  • Install a remote location tracking app on your mobile device and laptop. If your smartphone, tablet, or laptop is lost or stolen, applications such as Find My iPhone/iPad/Mac or Find My Device (Android) can help you to locate your devices or remotely lock and wipe them.