A monthly Information Security publication for the WPI community.

PHISHING: Many of us are familiar with this topic, but bad actors continue to change their tactics so there is always more to learn!

In this issue:

  • Checkout WPI's Phish Bowl
  • Types of Phishing & Social Engineering
  • Why is Higher Ed a Target?
  • From WPI's CISTO: KnowBe4 as a Prevention Strategy
  • Watch Out for Summer Scams
  • Learning with Laughter
  • Meet Julius!
  • In the News and Featured Videos
  • It Landed in Junk Mail for a Reason!
  • Diversity in Cybersecurity
  • Coming Next Month...

Check Out WPI's Phish Bowl

When a malicious phishing attempt is known to be hitting numerous WPI email or phone numbers, Information Security contains the message as quickly as possible. WPI uses Abnormal Security to enhance email protection. It complements Microsoft built-in security to provide safeguards against phishing and social engineering, reduce unwanted mail, and decrease risks associated with cloud email. Here are a few examples of detection and prevention by Abnormal in the past 6 months:

  • 184 email attempts at invoice payment fraud 
  • 241 emails containing malware
  • 9513 email phishing attempts!
Phish Bowl on hub.wpi.edu

To assist people who may have received a phish in their inbox prior to containment, Information Security adds it to the Phish Bowl on the WPI Hub. There you can find details about the message, and explanations of the dangerous elements it contains.

Recent VIP Impersonation Phishing Notice

Checking the Phishbowl when you receive a suspicious message can help prevent you from becoming a victim. If you have received a message that matches the Phish Bowl, do not click links or reply to the sender or caller; just DELETE! If you responded to a message matching the Phish Bowl, use Get Support to contact Information Security.

Phish Bowl on Information Security Hub SiteReport Phishing at WPI

Kinds of Phishing

Phishing is when a bad actor attempts to "bait" a victim into revealing vital information or clicking on a malicious link. This allows fraudulent access accounts, finances, or the computer. A message may be sent to numerous people, with just one response needed for the attacker to benefit. Varied methods include:

  • Spear Phishing, a carefully targeted attack
  • Smishing, uses SMS text to initiate contact
  • Vishing, uses voice communication via landline or mobile phone
Phishing ExplainedSmishing and Vishing Explained

Social engineering is often at play during phishing attacks. It uses persuasion to trick the victim. Decades ago the con artist had to engage the victim in face-to-face conversation. Today technology enables them to trick people halfway across the world. Here are several social engineering trademarks:

  • Sense of urgency
  • Claiming to be an authority figure
  • Appealing to your emotions

If you've received a suspicious message and it isn't in the Phish Bowl, the links below can help you identify whether it could be a social engineering scam or from a con artist.

What is Social Engineering? (Cisco)How to Spot a Con Artist (michigan.gov)

Why is Higher Ed a Target?

Attacks by the numbers:

  • 2023 was the worst ransomware year on record for education; the sector witnessed a staggering 70% surge in attacks.
  • The median number of monthly attacks surged by 91%.
  • The US and the UK bore the brunt of ransomware in education attacks, with over 90% of ALL attacks being against these two countries.
2024 State of Ransomware in Education (ThreatDown by Malwarebytes)

Why and When:

Attackers see many higher ed institutions as ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for cybersecurity prevention, response, and recovery. In some cases, hackers are ramping up their efforts to get colleges to pay for their data to be returned.

Factors that can make phishing a resource-heavy adversary for higher ed:

  • Over the years phishing has evolved from simple email scams to sophisticated methods involving artificial intelligence (AI), social media, and mobile platforms.
  • Adapting to new threats requires a proactive approach, including sharing knowledge within communities and learning from past incidents.
Avoid Common Higher Education Data Breaches (WPI Hub)

Below are the Top 10 Phishing Risks in 2024. College campuses tend to have a high number of mobile devices, Internet of Things, and social media use. CyberSecurity Magazine details these risks in the link below.

  • The Rise of AI in Phishing Scams
  • Cloud Services Exploitation
  • Targeting Mobile Devices
  • Phishing in the Internet of Things (IoT)
  • Social Media as a Phishing Ground
  • Sophisticated Ransomware Attacks
  • Deepfakes in Phishing
  • The Role of Machine Learning
  • Increased Focus on Small Businesses
  • Government-Backed Phishing Operations
Phishing in 2024: Here’s What to Expect (CyberSecurity Magazine)

From WPI's CISTO: KnowBe4 as a Prevention Strategy

As recommended by WPI’s Board of Trustees, ITS aims to strengthen the institution's information security efforts by implementing more robust education and phishing awareness assessment.

WPI is partnering with KnowBe4, a company that specializes in promoting cybersecurity awareness through online training and simulated phishing campaigns. The results of these campaigns enable ITS to identify how our organization is likely to react if a real phishing attack were to occur, and how to further promote best practices. 

Join LeeAnn LeClerc, CISTO for a webinar about KnowBe4 on Tuesday, July 23 from 12:00pm - 12:45pm. Please use the link below to register.

Register for the Lunch and Learn: KnowBe4Data breaches cost higher education and training organizations $3.7M on average in 2023 (Higher Ed Dive)About KnowBe4

Watch out for Summer Scams!

During this season, these are popular:

  • Employment Scams: These target people who have the summers off. If the money, hours, and/or work sound too good to be true, it's most likely a scam.
  • Travel Scams: Be wary if the price of the trip is significantly below the market rate. When using sites like Airbnb or Uber, stick to long established users.
  • Moving Scams:  Watch out for hidden fees, estimates far below market rates, and companies that change their name frequently.
  • Social Media Scams
    • Ignore accounts you don't recognize.
    • Don't give too many details about when and where you are on vacation.
    • It's best to post your vacation pictures after you get home.
    • A sign of a spoofed account is a friend request from someone you thought was already connected to you on that platform.
  • Ticket Scams: Only purchase tickets from legitimate, online retailers. Scalpers and bogus sites collect your information and sell non-existent tickets.

The Identity Theft Resource Center offers more details.

Five Summer Scams to Watch Out For

     

Learning with Laughter

Meme picture of Bill Lumbergh from Office Space with text: "Yeah if we could just stop clicking on phishing emails, that'd be great."

     

Meet Julius!

Meet Julius Newton, Information Security Analyst, to discuss Information Security and ask questions!

Julius is wearing glasses, a peach shirt, a tie and is smiling at the camera. 

"Hello, if you read the title, you are already going in the right direction to know a bit about me. My name is Julius Newton, and I am an Information Security Analyst within the Information Security department. My journey into the technical industry began with help desk and IT technician jobs, which provided the platforms I needed for gaining experience, and led to an opportunity working in the security operation center here at WPI. Some gems I learned on this journey are communication, time management, enthusiasm, and discipline will help in aiding and attracting positive results, set forth for yourself. Lastly, one thing most people do not know about me is I love to play chess."

Hear more about his journey into cybersecurity in this session with students. 

Careers in Cybersecurity Recording

In the News

In June 2024 the Town of Arlington, MA announced they lost nearly a half-million dollars due to a Business Email Compromise attack. The town's bank was only able to recover about $3000.

Town of Arlington loses $445,945 in wire fraud (Boston 25 News)

In March 2024, the group Inc Ransomware, known for spear phishing, attacked Florida Memorial University. 

Ransomware group claims it breached Florida Memorial University (Comparitech)

Featured Videos 

These brief videos explain common phishing methods.

Phishing Awareness Video (2 min)Phishing Explained (7 minutes)

It Landed in Junk Mail for a Reason!

It can be tempting to open junk mail and reply or click links, but items landed in junk because the filter found something - maybe even something malicious.

Please do not treat your Junk Mail folder as a second Inbox. Only open that folder if an expected message hasn’t arrived in your Inbox.

Image of junk email (right click on image to open in new tab and zoom in)

Clues the message is junk:

1. Subject line starts with RE: It's made to look like a reply to trick you into moving to Inbox or responding. But filters put it in junk, so proceed with caution!

   

2. Outlook message at the top of the email: This message was identified as junk. If you don't recognize the sender, then it should stay in junk.

     

3. Look at the sender's email address: If you've never done business with that person or organization, then it should stay in junk.

    

Diversity in Cybersecurity 

Diego Alvarez Molina has very short black hair, pale skin, is wearing a suit and looking directly at the camera.
Diego Alvarez Molina

    

Coming Next Month...

Password Hygiene