As employees all over the world are working from home, criminals are ramping things up hoping to take advantage of the less secure networks that people tend to have at home. We have surges in phishing emails on campus and across the world related to working from home as well as an increase in malicious websites. It has gotten so bad the US Secret Service has issued a warning. Here are some things to watch out for.
The fake VPN
As employees struggle to setup a home office, they are signing up and downloading VPN services at record rates. While all of our employees have the advantage of using SRAS, many smaller organizations do not have their own VPN tool and are asking employees to install one on their home computer. If your spouse or roommate are in this situation, warn them to be very careful about what VPN they download. Cyberattackers are offering fake VPN services that download malware onto your machine in record numbers. Make sure they check reviews of the service to ensure it is reputable before they install it on their machine.
Fake COVID-19 trackers
As people attempt to live their lives and stay safe, many are turning to maps that track the location and incidence of infections. Criminals are getting wise and creating their own versions of these tracking websites that infect your computer with malware.
Some enterprising scammers have also created phone apps that supposedly track the infection rate but load your device with ransomware instead. Stick to well known and reputable websites such as Alberta Health Services and the World Health Organization to get your information about the virus and stay away from any apps related to it including ones that tell you how to get rid of it.
Phishing emails about working from home and COVID-19
Phishing email attacks are off the scale. Everything from fake emails from your organization about working from home, to offers of vaccines and cures. One of their favorites is fake GoFundMe pages with coronavirus victims pleading for medical help. Another is pretending to be a colleague who is quarantined and needs help.
You name it, the depraved are going to try it. During this time it is especially important to be vigilant. If you receive an email that doesn’t come from a Mount Royal email address, question its validity. While you are working at home, make sure you use your Mount Royal email address to send business correspondence. DO NOT use your personal email address. This will make it easier for your colleagues to stay safe.
The MRU community is made up of a diverse group of people. Some of you just like to forward suspicious emails to email@example.com without really doing much investigation on your own. Others like to make a game out of looking for phishing red flags. While still others follow email processing guidelines, just like I have asked. Thanks to all of you, my job is never dull.
That said, we thought it would be a good idea to give all of you one more tool to help with the challenging job of identifying phishing emails. IT Services is proud to announce the launch of the MRU Phish Bowl. The Phish Bowl contains a collection of all the phishing emails that we have received over the past few years. When you receive an email in your inbox and you aren’t quite sure if it is malicious, you can now search the Phish Bowl for it. If the exact email or a very similar one is posted then you know it is malicious and you can simply delete it.
Each post in the Phish Bowl shows you what the email looks like, points out the red flags and lets you know how to deal with similar emails in the future. Not only is it informative but it is also educational.
If an email doesn’t appear in the Phish Bowl, it doesn’t mean that the email is legitimate. You will still have to use the other strategies that you have been implementing to determine if it is malicious. The Phish Bowl is only an additional tool, not a replacement for your current vigilance.
The Phish Bowl is also helpful for those of you who are not sure if they should forward an email to firstname.lastname@example.org or not. If you do a search and find the email already listed, you know there is no need to report it. If it isn’t, then you know you may have a new nasty that needs to be reported.
We will be updating the Phish Bowl as new reports come in. You can access it here, or from the MRU Cybersecurity Hub at mru.ca/cybersecurity. Look for the Phish Bowl link in the section titled Stay Informed.
When we tabulated our survey results, we were delighted to find a significant reduction in password sharing on campus. However, our victory lap did not last long. Password sharing is happening less but there are scary numbers of people logging in and letting someone else use their account.
We understand that you have guests that come on campus and need wifi access, that you have new employees that you need to train and that sometimes a colleague’s or friend’s account isn’t working. However regardless of the reason, credentials should not be shared. Your credentials are only for your use. They give you exactly what you need to have access to, no more and no less. This protects you, your colleagues and the institution.
Stop for a minute and think about all the things only you can access with your login credentials that no one else has access to. Do you really want someone else to be able to access those things? Think about how embarrassing, uncomfortable or alarmed you would feel if a colleague or friend started exploring. I know what you are thinking, I can trust them. They wouldn’t do anything malicious with my account.
Regularly we hear about horror stories of friendships gone wrong, bitter colleagues, bad breakups and the resulting fallout. When things go bad it is impossible to predict how someone will react. You would be unpleasantly surprised to know the damage that has been caused when these things occur.
Even if letting someone else use your account doesn’t result in data armageddon, it is against the Acceptable Use of Computing and Communication Resources Policy. The good news is there is no reason to do so. IT Services can arrange access for anyone for any reason. We have a solution for every situation. Find yours in the Credential Use Guidelines. If you aren’t sure what to do, just call the IT Service Desk and let them know what your time frame is. They will get back to you right away and provide you with a solution.
Don’t give up control by logging in for someone else. Reserve your account for your use only.
The attackers are at it again, this time they have tried to hide behind threats of disciplinary action. Check out the latest phishing email to hit the campus:
This nasty thing mostly landed in spam folders. However, there are some of you that would have found this in your inbox. The premise is plausible and the pdf attachment looks harmless. If you were to open this email on your phone, the odds are very good that you would assume the email is legitimate. However if you open the attachment a nasty surprise awaits. This is a gentle reminder to double check the sender’s email address before you make a decision to act on an email.
In the When to use your @mtroyal.ca email address article, I outlined some general guidelines on how to determine which email address you should use for creating accounts and accessing online services. This article generated a slew of questions related to availability of email accounts once someone leaves the University. I thought it would be helpful to clarify who gets to keep their accounts, under which circumstances and why.
Our email policy states
The University provides an email account to all faculty, staff and students to be used in the course of their duties or activities at the University. The University may also provide an email account for alumni, retirees, and professor emeriti, as well as other at the discretion of the University.
All email accounts and associated addresses are the property of the University.
So what does this actually mean and how is this policy implemented? Well that depends on who you are and under what circumstances you leave the University.
- If you are a staff member your access to your email will be terminated regardless of why you leave. This is to ensure business continuity.
- If you are a faculty member the same rule applies unless you are leaving due to retirement. Retired faculty members get to keep their emails as long as they adhere to the email policy. This is part of their collective agreement.
- Students retain permanent access to their email account.
Regardless of who you are and why you left, the University owns the email account and at any time they can revoke your access. The most common reason is not following the email policy. However it is at the discretion of the University to revoke it for any reason that they deem credible. Some of those reasons may be a change in policy or a change in email provider.
Therefore you should never consider your @mtroyal.ca email account to be yours for life. It is yours until the University decides it is not. That is why I suggested all MRU account holders follow the guidelines outlined in the When to use your @mtroyal.ca email address article. The guidelines ensures that you maintain access to your accounts even if your access to your @mtroyal.ca email address is lost.
Another thing to consider is FOIP requests. According to the email policy, any email sent with your @mtroyal.ca account is subject to a FOIP request regardless of whether the content of the email is personal in nature or not. If you don’t want your personal emails to show up in a FOIP request, don’t use your @mtroyal.ca account to send them.
If you have any questions about email access or the email policy please contact the Service Desk, they will be happy to help.
In today’s modern world, the lines between our personal lives and our work or school lives often becomes blurred. We are shopping on Amazon on our lunch hour and answering University emails from our laptop at home. This often makes it difficult to determine when you should use your @mtroyal.ca email to sign up for an account or service and when you should use your personal email.
A good guideline is to use your personal email address for anything that you want to use or have access to even if you aren’t working or attending Mount Royal University. For those services and accounts that you will only access WHILE working or attending the University, use your @mtroyal.ca email address.
When sending university related emails, use your @mtroyal.ca account. It reduces the chances your email will be mistaken for a phishing attempt and reported to email@example.com.
Following these guidelines reduces our network’s exposure and vulnerability. It also makes it easier for you to maintain access to services and accounts when you retire, graduate or work for another organization. In addition, it means you will get fewer notifications from us that your email was part of a data breach. Less work for us, less hassle for you…everybody wins!
It’s that time of year again when we look back at how we have done for the last 12 months and determine how we can improve. It is cybersecurity survey time!!! Yes, you read correctly the Cybersecurity Survey is ready for your input. Whoo hoo, I can just feel your excitement!
The good news is for completing the survey, you earn a contest entry code for the Cybersecurity Challenge. The better news is we have a sponsor for this year’s survey. I know there will be those of you who were looking forward to winning a grab bag of swag. However you sick folks are going to have to settle for a gift certificate from the Table. That’s right, the terrific folks at NetApp are donating a $50.00 gift certificate. !
To get your free food, you only need to take 5 to 10 min to complete the survey. Your feedback helps shape the cybersecurity awareness program for the next year. Remember we want to know what you ARE doing not what you should be doing. The survey is completely anonymous, so you are free to be 100% honest. The contest draw is independent of the survey so you can give us your anonymous feedback and still enter. You have until November 30, 2019 to complete the survey, we will do the draw that day. We look forward to hearing from you!
Tuesday morning was an exciting one for the security team. Over 900 inboxes received the following email.
I am delighted to report that a huge number of you were superheros and forwarded the email to firstname.lastname@example.org. Thanks to you we were able to block the target page and limit any damage. Even though so many of you spotted the email as a phish right away, with the high number of recipients Marketing and Communications made the unusual decision to issue a campus wide alert.
While we were investigating the incident, we discovered that the attacker spent a lot of time viewing our Payroll webpage. There is an excellent chance that the attacker will use this information in the near future to create another phishing email.
We are asking everyone across campus to keep an eye out for payroll or HR related phishing emails in the next little while. If you receive an email that appears to come from HR or Payroll, please check the email address for accuracy. If it is correct, please call the sender to confirm that they actually sent the email.
Should you find the email to be malicious, do what your colleagues did this morning and forward the email to email@example.com. You too can be a superhero!
This quarter our main message has been Keep your Password Secret. The reason is, sharing your password is against our Acceptable Use Policy (AUP) and puts yourself and our network at risk. The purpose of keeping your password secret is to prevent other people from having access to information and applications that they shouldn’t as well as to provide accountability.
Much to my surprise, it has been discovered that employees are logging into applications, workstations and systems with their own credentials and then letting someone else use those same applications, workstations and systems. While they are indeed keeping their passwords secret, they are still violating our AUP and exposing themselves to the same risks just as if they had just handed over their password. They risk is not just the loss of data, but also being held accountable for something that they did not do.
That is exactly what happened this week. A supervisor logged into an application using their credentials and then let their reports use the application. While one of the reports was using the system, they made changes to data they were not authorized to make. Because the supervisor’s credentials were used, they were questioned about the changes. The supervisor denies they made the changes, however there is no way to track who in fact made them.
I am also aware of similar situations occurring when guests are brought on campus. Some departments have been asking their administrative assistants to login to a workstation and then turn the workstation over to a guest speaker. This is also a violation of the AUP.
If you have a guest coming to speak on campus, they are required to bring their own laptop and then connect to the visitor WiFi, MRvisitor. If they do not have a laptop, they can borrow one from the library. At no point are visitors allowed to have access to our internal WiFi, MRsecure, our workstations or computers stored in smart cabinets.
Repeatedly sharing passwords or logging in and letting others use workstations or applications will result in your account being locked down. If you have any questions regarding the sharing of passwords or credentials, please refer to our AUP or contact the IT Service Desk at 403-440-6000.
Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately. Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.
What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official. As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.
No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.