What you missed from Cyber Scotland Week 2019
Last week, we promoted Cyber Scotland Week, a first of its kind for cyber in Scotland. The week aimed to showcase the innovation taking place across the sector, while raising awareness of good cyber resilience practice.
We shared cyber tips on our Twitter @StAITServices throughout the week for other University Twitter accounts to share. A display of IT security resources has been in the Main Library to raise awareness of strong passwords, phishing and the free anti-virus available for everyone to download to their personal devices.
If you see any posters that you’d like to request in bulk for your area, just contact the IT Service Desk (email@example.com).
Cyber Security Lunchtime Talk
On Wednesday, our IT Security Team held a lunchtime talk titled ‘This really happened – could it happen to you?’
We looked at five different types of attack and for each:
- The attacker’s motivation behind it
- How you can identify them in your inbox
- What you can do to protect yourself
We concluded the session with a Q&A which led to a discussion on password managers. For more information about password managers, visit the National Cyber Security Centre website.
1. “Are you available?”
This is an example of a fraudulent email which has been spoofed to appear to come from a person holding a senior position.
The attacker intends for you to feel a sense of urgency to assist your colleague, either by replying or carrying out tasks. Ultimately, the attacker will ask you to do something which incurs a financial loss – like buying vouchers and telling them the voucher code.
How to identify CEO spoofs and protect yourself
- Check the sending address and the reply-to address.
- Consider the tone of the email, the sign-off and the email signature.
- Think about your role at the University and whether you’ve been required to do this before. If it seems out-of-the-blue, you can ask us to check.
- Check for Office 365 security warnings.
- Report it. If you’re ever unsure, please forward the email on to firstname.lastname@example.org.
2.“You have been visiting illicit websites, pay up”
A sextortion email demands payment from you so that something intimate or embarrassing about you, like photos or website activity. This is so it will be deleted and won’t be made public – in most cases the threat is to send it to your contacts list.
The attacker intends for you to be distressed about this false information being publicised whilst discouraging you from reporting it to your IT department as you’ll feel embarrassed about the content – despite the content never existing.
Traits of a sextortion email
- It may appear to come from your account.
- It may include an old password from an external breach, such as LinkedIn.
- The email may ask for payment by Bitcoin or other online currency.
How to protect yourself
- Do not pay the demand.
- Report it so we can take steps against the sender and make others aware.
- Be aware of where you use your University email address and where it’s displayed.
- Good password management
- Never reuse your password across different sites.
- Use a password manager.
- Follow strong password guidelines on the IT website.
3. Phishing emails featuring a button
A fraudulent email designed to steal sensitive information such as usernames and passwords. Rather than use a link, there is a recent trend in incorporating buttons into emails to lure the recipient into interacting with it.
The attacker intends to obtain your credentials by appearing to come from a trusted sender, and may also include a subject you recognise. The button may also contain malware. This means the attacker may gain control of your computer.
How to identify phishing emails and protect yourself
- Check the sender.
- What is the email asking you to do? Is it asking you to click a link to sign-in? Please don’t click out of curiosity.
- Would you expect an email like this?
- Has it created the sense of urgency that most phishing emails do?
4. “Please can you update our banking details”
A fraudulent email or document designed to trick someone in to changing bank details or pay fees to an attacker.
The attacker targets individuals that are in the process of making large bank transfers. They intend to intercept the sale at the point of money transfer and ask you to update your details or send you an ‘updated’ invoice. The attacker is hoping that you’ll recognise the company name, trust the sender without thinking, and transfer the money.
How to identify banking fraud and protect yourself
- Contact the company using a known contact method to check invoice numbers and banking details before making a large transfer
- Ask the IT Security team to scan documents to ensure they’re safe
- Previous phishing advice above
5. State Sponsored
In this instance, Iranian nationals were accused of being part of the ‘Silent Librarian’ which hacked over 300 Universities across parts of the US, UK, Canada, Germany and Japan among others. They stole 30 terabytes of research data worth billions.
Other things you can do to stay safe
Download anti-virus to your personal device
Visit the software downloads page on the IT website to see what free anti-virus is available. If you’re using a classroom PC or a managed staff desktop, you’ll have anti-virus on it already.
Keep everything up-to-date
Whether it’s your operating system, anti-virus or software, make sure it’s up-to-date. Again, this is done automatically on classroom PCs and managed staff desktops.
Check to see if your personal account has been breached
Public websites are breached more often than you think. This means that any email address that’s signed up to the website may be stolen, as well as any other details you’ve entered when setting up your account. Visit https://haveibeenpwned.com to see if your personal email address has been involved in a data breach.
Make use of online resources
If you’d like to know more about cyber security, please feel free to look at the organisation websites we recommend.
- National Cyber Security Centre. NCSC is intended to be the authoritative voice and centre of expertise on cyber security for the UK as a whole, helping to manage national cyber security incidents.
- Get Safe Online. Advice on how to protect yourself against fraud, identity theft, viruses and many other problems encountered online.
- Centre for the Protection of National Infrastructure. CPNI has developed a series of security awareness campaigns. ‘Don’t take the bait’ was designed to raise awareness of spear phishing.
- Take 5. A national awareness campaign led by FFA UK (part of UK Finance), backed by UK Government to help tackle financial fraud.