A monthly Information Security publication for the WPI community.

SECURE IT is now monthly! It contains both WPI-specific details and tips that can help you when online for WPI work and academics, or for personal use.  There are new features offering cybersecurity education through outreach and videos. Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

PHISHING: Many of us are familiar with this topic, but bad actors continue to change their tactics so there is always more to learn!  In this issue:

  • Checkout WPI's Phishbowl
  • Why is Higher Ed a target?
  • Watch Out for Summer Scams
  • Learning with Laughter
  • Office Hours - New!
  • Featured Videos
  • It Landed in Junk Mail for a Reason!
  • Diversity in Cybersecurity
  • Coming Next Month...Password Hygiene

Check Out WPI's Phishbowl

When a malicious phishing attempt is known to be hitting numerous WPI email or phone numbers, Information Security adds it to the Phishbowl. There you can find details about the message, and explanations of the dangerous elements it contains. Checking the Phishbowl when you receive a suspicious message can help prevent you from becoming a victim. If  you have received a message that matches the Phishbowl, do not click links or reply to the sender or caller; just DELETE! If you responded to a message matching the Phishbowl, use Get Support to contact Information Security.

Phishbowl on Information Security Hub Site

Why is Higher Ed a Target?

Attacks by the numbers:

Ransomware attacks targeted the education sector more than any other industry in the last year.

Of surveyed higher education institutions across the world 79% report being hit by an attack.

Of the higher ed institutions that reported ransomware attacks, 59% said it resulted in major business and revenue loss

Compromised credentials caused 37% of attacks.

Malicious emails led to 12% of reported incidents.

Why and When:

Attackers see many higher ed institutions as ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for cybersecurity prevention, response, and recovery. In some cases, hackers are ramping up their efforts to get colleges to pay for the return of their data, such as a recent attack at Knox College.

The article notes that of late, the spring semester has been riddled with ransomware attempts. Here at WPI we have noticed that holidays are also a popular time for phishing, when fewer resources may be available to combat attempts and victims may have less time for caution and be more susceptible to fraudulent billing and shipping notices. WPI has also experienced increased phishing attempts at the start of the academic year, when many accounts are new and extremely busy community members may be less likely to recognize phishing.

Prevention

WPI Information Security regularly monitors and improves our security posture to keep pace with ongoing threats. We also rely on each member of the community to remain vigilant by regularly updating apps and devices, and recognizing and reporting attempts.

We congratulate the WPI community on completing a recent successful phishing simulation campaign. A few good news statistics:

  • Over 2,000 participants.
  • Only 3% clicked a link in the simulated phishing message.
  • 100% did NOT supply credentials!
  • 63% deleted the message or forwarded to phishing@wpi.edu, actions we have been encouraging and educating the community to take.

To enhance email protection, in our battle against attackers WPI has implemented an additional tool, Abnormal Security,. It complements Microsoft built-in security to provide protection against threats, unwanted mail, and improves risk posture of cloud email. 

New Email Security Tool WPI Hub News

More about higher ed metrics, what Knox College experienced when attacked, and additional details are in this Higher Ed Dive article.

Higher Ed Dive: Ransomware threat against colleges...

Watch out for Summer Scams!

During the summer, these scams increase.

  • Employment Scams: These target people who have the summers off. If the money, hours, and/or work sound too good to be true, it's most likely a scam.
  • Travel Scams: Be wary if the price of the trip is significantly below the market rate. When using sites like Airbnb or Uber, stick to long established users.
  • Moving Scams:  Watch out for hidden fees, estimates far below market rates, and companies that change their name frequently.
  • Social Media Scams
    • Ignore accounts you don't recognize.
    • Don't give too many details about when and where you are on vacation.
    • A sign of a spoofed account is a friend request from someone you thought was already connected to you on that platform.
  • Ticket Scams: Only purchase tickets from legitimate, online retailers. Scalpers and bogus sites collect your information and sell non-existent tickets.

More details about these scams are available from the Identity Theft Resource Center:

Five Summer Scams to Watch Out For

     

Learning with Laughter

Meme picture of Bill Lumbergh from Office Space with text: "Yeah if we could just stop clicking on phishing emails, that'd be great."

     

Office Hours

Meet Julius Newton, Information Security Analyst, to discuss Information Security and ask questions!

Julius is wearing glasses, a peach shirt, a tie and is smiling at the camera. 

"Hello, if you read the title, you are already going in the right direction to know a bit about me. My name is Julius Newton, and I am an Information Security Analyst within the Information Security department. My journey into the technical industry began with help desk and IT technician jobs, which provided the platforms I needed for gaining experience, and led to an opportunity working in the security operation center here at WPI. Some gems I learned on this journey are communication, time management, enthusiasm, and discipline will help in aiding and attracting positive results, set forth for yourself. Lastly, one thing most people do not know about me is I love to play chess."

In-person:  Campus Center near Dunkin Donuts, July 14, 10-11 AM

Virtual via Zoom:  

July 14, 12-1 PM

Request Zoom link (for WPI account holders)

Hear more about his journey into cybersecurity in this session with students last November for National Cybersecurity Awareness Month. 

Careers in Cybersecurity Recording

Featured Videos 

These brief videos explain varied phishing methods.

Malware and Spear Phishing
(YouTube 4 min.)
2-Faced Emails
(YouTube 3 min.)

It Landed in Junk Mail for a Reason!

It can be tempting to open junk mail and reply or click links, but items landed in junk because the filter found something - maybe even something malicious.

Please do not treat your Junk Mail folder as a second Inbox. Only open that folder if an expected message hasn’t arrived in your Inbox.

Image of junk email (right click on image to open in new tab and zoom in)

Clues the message is junk:

1. Subject line starts with RE: It's made to look like a reply to trick you into moving to Inbox or responding. But filters put it in junk, so proceed with caution!

   

2. Outlook message at the top of the email: This message was identified as junk. If you don't recognize the sender, then it should stay in junk.

     

3. Look at the sender's email address: If you've never done business with that person or organization, then it should stay in junk.

    

Diversity in Cybersecurity 

Diego Alvarez Molina has very short black hair, pale skin, is wearing a suit and looking directly at the camera.
Diego Alvarez Molina

    

Coming Next Month...

Password Hygiene