phish

“Your Password is ______.

Brace yourself for the latest in email scams: “Your password is ____”
Scammers are getting exceptionally clever lately and have started sending out very scary and convincing emails. These emails usually put a user’s actual password in the subject line to make it more credible, claim that they’ve hacked the recipient’s computer, and threaten to release very personal information to friends and family via social media if the scammer isn’t paid a large amount of money. While this is a very convincing trick, it’s still only a trick.

Here’s how they do it:

When websites get hacked, attackers often make off with a database of usernames, email addresses, and “hashed” (encrypted) passwords. While the passwords aren’t immediately useful, the hashes are usually posted to the internet where they can be reverse engineered and decrypted. If you were one of the affected users, anyone in the world can get a copy of your email and the password you used for that site.

Here’s a couple tips you can use to protect yourself:

  • Check https://haveibeenpwned.com. Enter your email address(es) into the field to see if any of your addresses have ever been affected by a breach. If so, you should assume that the password you used for that site is compromised and you should change it on any and all sites that share that password.
  • Use unique passwords for each website. If you use a password manager likechttps://www.lastpass.com/ or https://1password.com/, you can generate unique, secure passwords for every service you use and never have to remember them. If a site you use ever gets breached, attackers will only have your password for that site, instead of every site you use.
  • Change your passwords often, especially if you are informed that a service you use has been breached.

When in Doubt, Don’t Click! Avoid Email Phishing Attempts

You have probably been told in the past not to click links in emails from unknown sources, and you probably follow that rule to the letter.  Phishing attempts become more legitimate-looking every day.

When thinking about whether to click on a link, please remember these basic rules (explained in more detail in this Wired.com article):

  1. Always think twice before clicking a link in an email
  2. Consider the source (first, look at who sent the email, then hover over the link– but don’t click!– and see if the link leads to a website you recognize and trust)
  3. Report phishing attempts, or suspected attempts, to report-phish@osu.edu

Some recent items we have noticed in phishing attempts include the following:

  • Email addresses that look like OSU emails, but if you search the names at osu.edu/findpeople, no results will come up
  • Use of OSU logos, legitimate-looking email layouts, and legitimate email addresses/websites listed under the signature or in the header
  • Simple-looking emails that ask you to click a link to “validate” or “secure” your email, storage, or other information
  • Emails that look like they are written by a friend/colleague but with unknown email addresses or referring to a conversation you never had

Below are some recent examples that faculty and staff at the College of Nursing have reported.  Click on the image to view it full-size.

Examples of Recent Phishing Emails

This email has been flagged by the administrator as a possible phishing attempt (red flag #1), and if you hover over the link without clicking, you’ll see it does not go to a osu.edu webpage. Also please note the convincing-looking signature line, and the very suspicious line above this assuring you that it is legitimate.

See that the link above does not lead to my.osu.edu, and note the grammatical errors in the email.

The above email contains a link that does not lead to a osu.edu page.  It also contains questionable grammar such as “All staffs and students” and “portal to access the below”.

The link in the above email does not seem legitimate, and the “From” line of the email seems odd too, as it does not have an email address but only a name. I looked up the sender below for more information.

It turns out, the “sender” is a real OSU employee, but if you notice in the original email, the “From” box has a comma between last name and first and in the center of the email the comma is missing. If you do not know the sender or you are not expecting an email from them, assume this is a phishing attempt.

Sometimes it helps to do a Google Search or a “Find People” search on the sender of an email. Above is what I found out about “Wilhem Veen,” a name which appeared numerous times above.

 

Thanks for reading! Please remember to always consider the source and hover over links before clicking them. When in doubt, don’t click! Forward any suspicious emails to report-phish@osu.edu

 

 

Save

Save

Save

Save

Save

Save

Save

Save

Save

Cybersecurity Part 1: Internal Threats

Erik Yarberry is the College of Nursing’s Network Administrator.  He recently took some time to talk to us about cybersecurity at the College of Nursing, including what are termed “internal” and “external” threats to the network.  This post will explore internal threats, and another post will follow discussing external threats.

Internal threats are those that come from employees or others who have access to the network.  These can be both intended and accidental. Here are some examples:

  1. Employees clicking on or forwarding phishing messages sent by email
  2. People leaving employment who leave security holes or delete files they shouldn’t (either accidentally or intentionally)
  3. People getting viruses through unsafe websites, unsecured flash drives, or other means

You might be wondering, what’s the point in phishing or hacking the College of Nursing? What’s there to gain? Here are some things hackers and phishers look for:

  1. Intellectual property including copyrighted works, dissertations, etc.
  2. Personally identifying information
    • Social Security numbers, credit card numbers, anything that would help an identity thief
  3. Access to legitimate email addresses to send more attacks out

Internal security threats make up a large portion of the cybersecurity threats that the College of Nursing faces. That’s why it’s important to know a threat when you see it, and if necessary alert the proper channels.  Here are some tips to remember to protect yourself and the College of Nursing from these kinds of threats:

  • Don’t click on unfamiliar links or attachments in emails! If you are sent an email that looks suspicious, forward it to report-phish@osu.edu
  • Change your passwords frequently, and use a new and unique password each time.  If your email or other information was ever breached, those old passwords could be in the wrong hands.
  • Know how to browse the web safely. Here are some good tips.
  • Have anti-virus software, and update your computer and software regularly. Cybersecurity is basically an arms race, and the best way to be equipped is to keep all of your systems as up-to-date as possible.
  • If you suspect you have a virus or clicked on something you shouldn’t have, alert IT right away at CON-informationtechnology@osu.edu

 

In our next Cybersecurity post, we will delve into external threats and what the College of Nursing is doing to mitigate them.