Cybersecurity Blog

SIN number scammers calling MRU employees – 10/25/19

 

Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately.  Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.

What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official.  As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.

No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.

 

New phishing email tactic, the found student pass – 10/17/19

Those clever cybercriminals have come up with another tactic to get you to click on something you shouldn’t. Introducing the “I found an ID pass”, phishing email.

 

 

What makes this email so diabolical, is it has no sense of urgency. In fact it asks nothing of you at all. It simply lets you know that a pass was found and it is being mailed. It’s calm, indifferent manner lull’s you into thinking the email is harmless. It counts on the reader being so curious that they throw caution to the wind and click on the link to see whose ID was found. Quite ingenious really.

If you receive an email of this sort, delete it and wait for the mail to arrive.

 

MRU employee checks for email legitimacy and talks to the hacker – 10/17/19

One sure fire way to avoid becoming a victim of a cyberattack is to call the email sender to verify that they in fact sent the email.  That is a message that I preach over and over again all over campus. I am happy to report that my message is being heard and acted upon…sort of.

Here is the email that one of our staff received in their inbox.

 

 

The staff member knows the sender and aside from the poor grammar, the email is spot on. The  attachment was indeed a Sharepoint document, so she opened it. However when she found nothing but a greeting link to another document she paused.  She knew that email addresses could be spoofed and realized she should confirm the legitimacy of the email. So she sent this email.

 

 

She correctly did not reply to the original email.  But created a new one and sent it using an email address in her contact list. This is the reply that she received.

 

 

 

Before she could check the invoice, she received this email.

 

 

The sender’s email account had been hacked!  It didn’t occur to our staff member that if someone else was using her colleague’s email address, it wouldn’t be her colleague who responded .  She gets an A for verifying the legitimacy of the email.  But she gets a F for talking to the hacker.

The lesson has been learned. When confirming email legitimacy, use the darn phone.  A 30 second phone call can save you from a world of hurt.

 

The Cybersecurity Challenge begins October 1, 2019 – 09/26/19

 

 

Cybersecurity Awareness Month begins October 1 and with it the Cybersecurity Challenge. There are a variety of activities planned for the month that staff, students and faculty can participate in.  Each time a staff or faculty member participates in one, they earn a contest entry code. Each code earns them one chance to win a $250.00 gift certificate from Best Buy.  Their entry also counts as one point for their team. The team with the most points wins the Golden Superhero Award!

 

The Golden Superhero Award!!

 

Although students are welcome and encouraged to participate in cybersecurity activities, they cannot enter the draw. This year the challenge runs from October 1, 2019 to October 1, 2020. So you have a whole year to participate in activities and earn contest entry codes.  Earn codes by:

  • Reading the Cybersecurity Newsletter
    • Random newsletters will contain codes throughout the year. Read the newsletter weekly to find the codes.
  • Participating in a Main Street event
    • Come down to Main Street and participate in that month’s activities. Everyone who participates gets a code and a spin of the prize wheel.
  • Attending Lunch n Learns
    • Come see speakers present cybersecurity topics. Codes will be given at the end of each talk.
  • Attending a movie screening
    • Come down to the Ideas Lounge in the Library and watch fascinating documentaries on cybersecurity. Codes will be given at the end of the film.
  • Participating in Hack the Box
    • Put together a team or participate on your own. Your code is locked inside the box. Can you solve the puzzles and hack your way in?
  • Completing online Security Awareness Training or a Security Awareness Workshop
    • You get the same code whether you attend a workshop or take the online training.
  • Displaying a cybersecurity awareness sticker
    • Send me a photo of where you have put your cybersecurity sticker. Your photo will be put on the CSAM website and you will receive a code in return.
  • Reading the cybersecurity posters and slides
    • Scan the posters and TV screens across campus to see if you can find the codes. There is a new one every quarter.

On Tuesday, October 1,  grab your colleagues, fire up your team and start collecting codes! Then Every Monday, check the Leaderboard and find out who is the team to beat. For more details on the Challenge, visit Cybersecurity Hub.

 

Fake email from Tim Rahilly arriving in spam folders – 09/18/19

 

This week the campus community is finding a particularly clever phishing email in their spam folders. It looks like this:

 

 

This is the third time our illustrious leader has been impersonated. Although this email is mostly  landing in spam folders, I thought I should bring it to your attention in case it sneaks into an inbox or two.

Your on-the-ball colleague caught this one because they checked the sender’s email address. This is a gentle reminder to follow their lead.  With all emails that ask you to take some sort of action, whether it is opening an attachment, clicking on a link or providing information, always check the sending email address BEFORE you read the email. If the email address is wrong, it is less likely your emotions will be triggered and rational thought will be by passed.

If this darling arrives in your spam folder or inbox, it can safely be deleted.

 

Clever Staples phishing email showing up in MRU inboxes – 09/05/19

Classes have begun and the hackers are betting that employees across campus will be ordering supplies. They have begun sending out fake order confirmations from Staples.  These emails are extremely well done.  Take a look.

 

 

I especially like the note at the bottom that specifically asks you to reply to the email.  Just in case you are suspicious, they have given you some lovely directions that will put you in touch with them.  Very clever.

The only real tell, unless you are super familiar with the email that Staples uses for order confirmations, is the View here button URL that takes you to chainetwork.club. Definitely not Staples.

As with all other emails that come from organizations that you are familiar with, visit their website directly to check orders, confirmations and payments. Do not use links in emails even if they look as legitimate as this one.

 

Basic IT Security Awareness 2019 training course coming down – 08/30/19

 

It’s that time of the year again. Time for the old cybersecurity training to go down and the new one to go up. If you haven’t completed Basic IT Security Awareness 2019, you still have a couple more days to finish it up. Tomorrow evening it will be disabled and the grades will be archived. Sunday, September 1 the new course Cybersecurity Awareness Training 2020 will go live. This new course has great new videos and some updated content.

You have until June 30, 2020 to complete the new training course. At that time the course will be taken down. Please put this date into your calendar.

If you take PCI training, you do not have to complete this new course. Your PCI training contains the same cybersecurity information as this one does.

I hope you enjoy the new training course. If you have any questions, comments or concerns please contact me at bpasteris@mtroyal.ca

MRU targeted by phone – 08/08/19

 

This week a rather irritating phone campaign has hit the campus. Phone solicitors are calling employees and asking them to confirm their role. If the employee does, the caller asks if they can send them some email. This particular campaign is more annoying than malicious. However, it provides a great opportunity to review phone safety.

With people becoming more tech savvy and cybersafety aware, it is becoming harder for criminals to score with a simple phishing email. To increase the odds that their potential victims will be tricked, they are turning more and more to pre-texting. The phone is fast becoming their favorite tool.

Typically a target receives a phone call with the scammer pretending to be someone who is trusted or has a right to the information they are asking for.  They will often ask questions that seem innocent enough. However they are gathering information about you and the University that they can use against you later. Armed with enough information, they can create a phishing email that is almost impossible to identify as malicious.

If you receive a phone call from someone who is asking for information they should already have or that they shouldn’t know, politely ask them for the name of their organization and then tell them you will contact them later. You can then hangup and call that organization directly using a number that you have either used before or comes from the organization’s official website.  If you cannot reach the individual through the organization’s switchboard, then you know that it is a scam.

 

 

No, your password is not going to expire – 08/01/19

The latest phishing email to hit MRU inboxes is a classic. Check it out.

A big thank you to everyone who reported this phish by forwarding it to abuse@mtroyal.ca. You are all superheros! Should this bad boy arrive in your inbox, you can delete it as we are aware of it.  However, if something new shows up please do what your colleagues have done and forward it to abuse@mtroyal.ca. You too can be a superhero!

 

How to create emails that don’t look malicious – 07/26/19

 

Communicating with everyone on campus is challenging. A lot of work goes into what information should be included, making sure the email is as succinct as possible and making it easy for the readers to act on your request. Unfortunately, we often have these emails reported as phishing emails or they are deleted by readers.

So how do you create an email that makes it easy for the reader to act without making them think you are trying to steal their data? It is a delicate balancing act. Fortunately, there are some guidelines you can follow.

First, make sure that people can verify the legitimacy of the email, by including the name of a contact person at Mount Royal that can be found in the directory. That way if someone is not sure about an email, they can just call the contact person and confirm that the email is legitimate. This is especially important if the email is coming from a third party.

Second, if you are using a tool to track who clicks on what in the email, make sure the URL that appears when you hover over the links looks like a Mount Royal URL.  If you are not sure, contact the IT Service Desk and ask them for help. We can work with your tool vendor to make sure your links look legitimate.

Third, avoid including links if you can. Instead of using links, type out the Mount Royal URL or tell them where on mtroyal.ca they can find the information.  Stay away from URLs that look vague, are excessively long or do not send readers to a G suite or mtroyal.ca webpage.  Even better, include the relevant information in the email itself.

Fourth, do not use your personal email address for Mount Royal correspondence. Anything not coming from an official Mount Royal email address will be considered suspicious.

Next, if you are using a tool to send the email make sure that the sender’s email address appears as a legitimate Mount Royal address. If your tool does not allow you to do that, contact the IT Service Desk. We can work with most vendors to fix that.

Lastly, avoid including other phishing red flags in your email such as generic salutations, a sense of urgency, triggering emotions and asking people to do something against established procedures.

By following these simple guidelines you will greatly decrease the chances readers will report or trash your email instead of acting on it. If you are planning on sending out a campus wide email and you aren’t sure if it will get flagged as malicious or not, please contact the IT Service Desk and ask for help. We would be happy to preview the email and let you know if anything needs to be changed.

Happy emailing!!