Cybersecurity Blog

New cybersecurity awareness training launching soon – 06/29/22

 

 

It is that time again. One training year closes and another begins.  June 30 is the training deadline for this year’s courses. I am pleased to say that 74% of registrants have already completed the training. If those who are currently working on courses finish up, that will give us a record 79% completion rate.  Whooo hooo!!! I am confident that you won’t let me down and you will pop back in to complete those last few modules.

Unfortunately we have fewer people finishing the pretest. Only 70% have completed it. Luckily the majority of those who do, have not been assigned training. When training is assigned, typically only two modules must be completed.  That means the odds are, it will only take you 20 to 30 minutes to complete your annual training! Take aside a little time to finish this up and prove how effective the pretest program is. Keep in mind while the deadline was June 29, the Security Education Platform will allow you to access the pretest and assigned training until July 29, 2022.  So it isn’t too late to get it done!

In the beginning of July a new round of training will launch.  Watch for the email notifications to arrive in your inbox. Remember, current employees have a whole year to complete their training. Please don’t angry email me that you just finished your training and don’t know why you have to take more.  New hires aren’t so lucky. They have only 60 days to complete their training. It works best if you spread the training out instead of completing it all in one sitting.

This year registration for new hires into the Security Education Platform will be automatic as will enrollment in the new hire training.  This is wonderful news as neither you nor any of your new hires will have to fill out the registration form. The training notification will automatically arrive in their inbox. They can get started on their training right away without any help from you. Yaaayyy!! Unfortunately if they handle payment card data, they will still have to register for PCI training. Sorry, it can’t all be good news.

There will once again be a pretest for all current employees. This year, it will be a tad shorter, 22 instead of 33 questions.  Yaayyyy!! Some more good news.  Once again, there will be additional training for those of you considered to be high value targets. The training is very specific to your role and you will find it more helpful than annoying. At least that is the hope.

In addition to new training, we also have a new system in place to keep user profiles up to date. This should result in far fewer people getting training notifications after they have left MRU. As well supervisors should find that the training status reports for their teams will be more accurate. Another win!

Lastly, the Cyber Guys videos will take a short break over July and return again in August. They have been busy and we have a new whole crop of ridiculously funny reminders on how to stay cybersafe for the new year. Thank all of you for the positive feedback. I am delighted that you have found them as entertaining as I have.

A big thank you to everyone who has set aside precious time in their schedule to complete their training.  You have invested in the safety of your home, family and colleagues. While the training doesn’t always seem beneficial, sometime in the future you will be thankful that you took the time to learn how to identify and thwart a cyberattack.

 

Chrome’s latest update includes a confusing pop up – 06/01/22

 

Chrome has been updated. As part of the update, a pop up appears when you login

 

 

This pop up is simply reminding you that Mount Royal University is managing your MRU Workspace account and that we have access to it. This new pop up is part of Google’s new privacy features. There hasn’t been any changes to your account, the University has always had access to it. The pop up isn’t malicious and your computer has not been hacked.

Click to select Keep local browsing data to save your current bookmarks. Then click the Continue button to close the pop up and use Chrome/Google Workspace as usual.

Innocent looking webpage hides malware – A true story – 05/25/22

 

Network Cable

 

It was just another day for an MRU staffer. He was fielding calls and sorting through emails when he received an invite to a conference.  He just needed to double check the session time. However, it was listed with a different time zone than his. It was early in the morning and his brain wasn’t fully functioning so he was unable to covert the time in his head. He Googled “time zone converter” and clicked the first link listed in the search results.

As soon as the webpage loaded, mayhem erupted on his computer. Pop-ups appeared. Big scary alerts with flashing arrows pointing to a button said he had a virus. Click here said the button to remove the virus. You must click NOW flashed across the screen. Everything that could light up and flash was lit up and flashing. His computer screen looked like a slot machine that was about  to pay out, only this pay out was malware not money.

He started to panic. He thought, “What do I do, what do I do? What did Bernadette say to do in training”. Then he remembered the first step.

Don’t touch anything

“Okay”, he thought, “I wont touch anything. what did she say to do next?”

Disconnect from the Internet

“Right.” He dug around behind his computer and yanked the network cable out from the back of it. “Okay, what is next?”

Contact the IT Service Desk

He picked up the phone and called the Service Desk. It took almost no time at all and a technician was there checking his computer. Thankfully, there was no harm done. Because he had followed his training and did not click on anything on the webpage the malware was never loaded onto his machine.

He was immediately grateful for the training he received. Had he forgotten to not touch anything on the screen, he would have lost a lot of his day and his data, getting his computer reimaged.  While he knew the training was helpful, he didn’t realize just how much until he found himself experiencing a cyberattack. He was so glad he had taken his annual training. He was never going to consider it a waste of time again.

Scammers getting really clever with MasterClass phishing emails – 04/28/22

Over the last few weeks phishing emails with fake invoices from MasterClass have been popping up in inboxes all over campus.  I have been posting them to the Phish Bowl, but you can see an example here.

Most of you will have probably noticed that the attachment itself isn’t malicious.  Instead the scammers are hoping you will call them and ask for a refund. If you do, there a number of scams they can pull.

The simplest is asking for your credit card number so they can issue a fund to the correct card.  They assure you that the refund will appear on your credit card statement within 48 hours. Of course, no such refund is made. Instead they go on a 48 hour shopping spree on your dime.

The more sophisticated scams  take you through a “refund” process where they deposit funds directly into your bank account. They then show you a fake screen shot that indicates they accidentally refunded you too much money and then ask you to e-transfer the excess funds.  When you point out that the refund doesn’t appear on your online bank account statement, they say that it will take 24 hours to do so. If you ask to wait until it shows up, they say if they don’t fix the error now, they will get fired.  They can be very persuasive. Sometimes they will cycle you through several “supervisors” and “mangers” to convince you that the excess funds must be returned immediately.

Of course, they never charged your card in the first place, nor will you ever see the money refunded to your bank account. Instead you will have handed over thousands of dollars to the scammers.

Fortunately, it doesn’t appear as though there have been many people on campus who have fallen for this scam.  As a result, the scammers have upped their game. We are now seeing the following email arrive in inboxes shortly after the one I previously shared.

You see people are getting smart. The scammers are realizing that an email with an attachment maybe isn’t the best way to get people to call them. Instead, they have set up a remote support session. The diabolical part,  is this email comes from a legitimate service,  Zoho Assist.  So malware filters won’t think anything is amiss. Your only clue is the little note at the bottom that mentions the email comes from a generic email account instead of MasterClass itself.  This is something they hope won’t notice as the previous email has already got you thinking about that MasterClass subscription you didn’t sign up for.

I have to admit, this is very very clever. The good news is, if you take your time and look closely you can identify the scam and delete the email before things ever get to the excess refund stage.

New Google feature looks like phishing – 03/25/2021

 

Google has launched a new feature for Google meet. Any time there are more than two people in a meeting, you will automatically receive an attendance list attached to an email. This email has the name of the meeting in the subject line. This works great when you have created the meeting in your calendar and given it a name. The email makes sense and it looks legit.

However, if you create the meeting through the Google chat or the Meet button in the Gmail window, there is no way to give the meeting a name, so Google does that for you. As a result you end up with an email subject line that includes a bunch of random capital letters in quotes.

At first glance this email looks really, really phishy. You have this weird looking subject, an attachment and you didn’t request an attendance report. But if you take a closer look at the sender’s email address, you realize that this is in fact coming from Google and it is a legitimate email.

If you receive an email like this and you are uncertain what to do with it, then please report it. However, hopefully now that you have a little more information you won’t feel so quite uncomfortable when that odd email shows up unannounced from Google.

 

 

AHS offer of $100 for getting vaccinated is fake – 03/11/22

 

There is a particularly devious smishing attack currently being circulated. Check it out.

 

 

This one is extremely well done for several reasons. First, the chances are high that whoever receives this text is vaccinated.  Second, the Alberta Government was indeed sending out $100 debit cards to those who got vaccinated last fall. Third, the link appears to go to Alberta Health Services. Lastly, we have all seen the sign-in partner prompt when dealing with the CRA or when receiving an e-transfer.

So what are the red flags? If you hover over the link, it will display a different URL than what you see in the link.  In addition, the Alberta Government’s program was to distribute debit cards, not deposit money directly into your  bank account. Also, that program ended in the fall and there is no new program to encourage you to get your booster.

No one I know has clicked the link to see what will happen. However, I can make a pretty good guess from the way the information is presented. Likely, the link takes you to a page that asks for your banking credentials.

As much as we could all use an extra $100 right now, this one falls into the “Too good to be true”, category.

Shared/delegated email accounts and MFA – 01/12/22

Google has started sending reminders to those who haven’t yet enabled multi-factor authentication (MFA) on their Mount Royal email account.  For those with a single email account the process is easy. However if you use a delegated, google group or shared email account there may be some confusion. Do you have to enable MFA or not? Well that depends on what type of account you have and how you use it.

Delegated accounts allow you to access emails from your own Mount Royal email account. Neither you nor anyone else that uses the account ever logs into it.  If you click on your profile pic in Gmail and see the account listed with delegated next to it, it is a delegated account.

Even though you may have received a notification to enable MFA on that account, you don’t have to. We know that is confusing so we are working on identifying all the delegated accounts so hopefully you will not get notifications in the future.

Shared accounts require you to login with a separate username and password to access emails.  The username and password are often shared by several people. They are usually set up because the generic account needs a Youtube channel or to set up its own google forms. If you have a shared account, please do not ignore the MFA notifications and contact the IT Service Desk to find out if MFA is required. This will be determined on a case by case basis depending on how the account is used.

Google groups aren’t actually email accounts so you don’t see them listed with your delegated accounts. They are mail lists that you subscribe to or create.  They are often set up to send emails directly to your inbox,  however you can also access the emails from the Google Group app. As Google groups are part of the Google Workspace, you don’t need to MFA them separately.  They are protected when you enable MFA on your MRU email account.

For more information on enabling MFA visit the Multi-factor Authentication web page.

No that is not a malicious pop up – 01/11/22

In preparation for the implementation of mandatory MFA on February 28, 2022, a new pop-up will appear when you login to Google if MFA is not turned on. It looks like this.

If you click Do this later, you can access your account and enable MFA at a later date. However, we do encourage you to click Enroll instead. The sooner you enable it , the sooner the annoying pop-up goes away. After February 28, 2022 anyone who does not have MFA turned on will have to contact the IT Service Desk to get access to their Mount Royal email account, Google Drive or any other Google Workspace apps.

 

The Cyber Guys are coming! – 01/11/22

January 2022 is here! As promised, next week we will be releasing the first Cyber Guys video. This short video is super fun. As a reward for watching you will earn a contest entry code. Have a giggle, get a cybersafety reminder and earn codes. What could be better? Log into the Security Education Platform and check your My Assignments list to find the video link.

The use and care of your MRU email address – 12/07/212

 

We are regularly notified that Mount Royal email addresses have been involved in a data breach through Have I been pwned. When we receive that notification, we are told what account provider was affected and which email addresses were involved.  This allows us to contact those who had their accounts compromised and ask them  to change their passwords.

With multi-factor authentication enabled, this is less of an issue. Even if a password is stolen, the attacker will not be able to get into a MRU email account without the second factor.  However it is still important that compromised passwords are changed, especially if the same one is being used for multiple accounts. So we are still receiving data breach notifications.

Usually the data breaches are for work related services. However, once in while we are notified that a gaming site, dating website or a site with adult content has been breached. If you have used your Mount Royal email address to access that site, we will be notified. It is awkward for everyone when that happens.

Please keep your private life private and only use your MRU email address for work purposes. We don’t need to know what you do for hobbies, how you spend your time outside of work or where you shop. Save us all the embarrassment and use another email address for your personal pursuits.  The security team thanks you.