Malware and Ransomware Threats

Phishing scams are a form of “Social Engineering” in which the attacker attempts to trick you into giving them your credentials or access to your system. Phishing typically refers to scams carried out through email, but very similar scams can be run through text or social media messaging. In phishing scams, the attacker, or “phisher,” will pose as an institution or individual that you trust by sending you a fake message that claims to be from that trusted party.

Often, the goal of a phishing attack is to get you to provide your login credentials or other sensitive information like your social security number or financial institution information. This information could then be used to gain access to your private accounts or to steal your identity. You should be suspicious of any email that asks you to provide personal information or that directs you to a webpage that ask for this information.

Another goal of phishing is to trick you into downloading malicious code onto your computer. This can occur when you click a link or open an attachment. The malicious code can then do any number of very bad things to you, your computer and your network. You may never know it’s there, or it may be glaringly obvious like when “Newman’s” face pops up on Samuel L. Jackson’s computer screen in Jurassic Park saying, “Ah Ah Ah.” 

Phishers attempt to play on your emotions, often including disturbing or enticing information in their emails in an attempt to provoke you to act. They may try to create a false sense of urgency by saying "your account will be deleted" or that "you are over your email storage space." They often urge you to act immediately to "update" or "verify" your account information.

Phishing techniques and social engineering techniques in general are growing increasingly complex and the impersonations are getting more and more realistic and difficult to spot. Ohio State email accounts continue to be targets for an increasing number of phishing attacks. Some of these emails are very sophisticated; using "real" email addresses, convincing branding and/or "official" signatures.

If you think an email is a phishing attempt, report it!

Recognizing a Phishing Attempt

• Here's a list of points to consider when deciding if an email is trustworthy. However, don't rely on any single factor.

• False claims, warnings and threats

• Unofficial "From" addresses

• Impersonal or strange greetings

• Spelling, punctuation and grammar

• Spoofing popular websites or companies

Protecting Yourself from Phishing

• Think before you act. Be wary of communications that implore you to act immediately, offers something that sounds too good to be true or warns of negative consequences if you do not act now.

• Look closely at embedded links. Phishing emails often include links that may look legitimate but actually send you to malicious web sites that look and feel like the authentic ones. The web page address (URL) may use a variation in spelling. Or the URL shown may appear to be legitimate - but when you hover over the link with your mouse to see where it will lead, a fake address may be displayed.

• Do not provide your login credentials or any personal information.

• If you think an email is a phishing attempt, report it!

• Using the Phish Alert Button is not only a way for you to report suspicious emails, it will also take the place of the need for creating service desk tickets when you receive suspicious emails.  Reported emails are sent to our service desk and will be auto assigned to the correct team for review. So, your reporting of a suspicious email could prevent hundreds of our colleagues from falling victim to a malicious scam. 

All school/ APS business should be conducted through your APS email. We have additional security in place to ensure school and district info stays safe. This is important to aligning with best practices and regulations that require archiving, record retention, and reporting. 

But what about your personal emails and information,? There are a few things you can do to stay safer while using these services, particularly if you use that email address to reset passwords for banking, e-commerce or social media sites.

• Turn on multi-factor authentication if the service provides it. This will provide an extra layer of defense. An attacker can’t simply guess your security question to reset your password.

• NEVER share your password with a friend for ease-of-use. Keep separate email addresses and create a distribution list if you wish to receive incoming emails from multiple senders.

• Consider closing accounts with email companies that have had major data breaches and did not provide details on what steps they took to ensure a similar incident didn't occur in the future. Conducting a web search will give you a good idea of which companies are most likely to keep your information safe.

• Be sure your email site is encrypted through SSL/TLS. You can confirm this by looking at the web address. It should begin with https://.  The “S” is what you are looking for to confirm encryption is being used.

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials -- for example, a name and password -- to access multiple applications.  For example, Classlink or my.aps.edu is a SSO.

Although single sign-on is a convenience to users, it presents risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security. 

Google, LinkedIn, Twitter and Facebook offer popular SSO services that enable an end user to log in to a third-party application with their social media authentication credentials. Although social single sign-on is a convenience to users, it can present security risks because it creates a single point of failure that can be exploited by attackers.

Many security professionals recommend that end users refrain from using social SSO services altogether because, once an attacker gains control over a user's SSO credentials, they will be able to access all other applications that use the same credentials.

To learn more: https://searchsecurity.techtarget.com/definition/single-sign-on

Many websites, such as Seesaw, Flipgrid, and others, will allow users to log in through Google. When setting up online accounts, you may be prompted with options to sign in with your Google account or another site like Facebook, Twitter, Apple, etc. The information stored on Google can create new user accounts and sign you in with only a few clicks. While this system makes logging in easier and more secure, you may be worried about potential privacy risks. Is it safe to sign in with Google? 

Using the option to sign in with Google is safe. Google’s strong security and OAuth system provide better protection than current poor password practices. Users should understand the privacy concerns. Authenticators share data and account permissions to third-parties while collecting user login and traffic. 

For more information: https://dataoverhaulers.com/sign-in-google-safe/

Page citation: https://cybersecurity.osu.edu/cybersecurity-you/develop-safe-habits/securing-3rd-party-email