With the Phish Bowl up and running I don’t do many posts about phishing emails any more. However one showed up on campus this week that provides such a great teaching opportunity, that I had to write about it.
Here is the offender:
To make things even more confusing, the email links to a legitimate Google Form. Clicking on the Fill Out Form button, does indeed take you to a Google form. Nothing malicious is loaded onto your machine and the form looks like a completely legitimate evaluation form, with one exception. It asks for your Microsoft ID and password.
Any time any form asks you for a password, no matter how legitimate it looks, exit the form immediately. If you do enter your credentials and then realize that you shouldn’t , change them immediately.
IT Services is proud to announce the launch of a new reporting process for phishing emails. If you are an employee, you will be able to use our new PhishAlarm button. If you are not, you can forward emails to firstname.lastname@example.org, our new email address for everything cybersecurity related.
Reporting a malicious email as an employee
If you have taken a look at your Gmail side panel, you may have noticed this .
If you don’t see your side panel, click the arrow in the bottom right hand of your screen.
Previously if you found an email that you thought was dangerous to your colleagues or you weren’t sure if it was legitimate, you had to click the Forward button and then type in email@example.com in the To field. Now we have a handy button.
To report a malicious email using the PhishAlarm button
- Open the email
- Click the PhishAlarm button in the side panel.
- Click Report Phish. A confirmation pane appears.
- Click the X to close the confirmation pane.
Not only is the PhishAlarm button super easy to use, it sends the cybersecurity team more information about the email making it easier to investigate. It’s a win for everyone!
While we won’t be ignoring emails sent to firstname.lastname@example.org, we are encouraging employees with phishing email concerns to use the PhishAlarm button. If you click the button and see a popup displaying something that looks like this:
You are not registered as an authorized user. If you are an employee, completing a registration form will rectify the problem. If you are not, you are unable to use the PhishAlarm button and will have to forward suspicious emails the old fashioned way.
Reporting a malicious email if you are not an employee
Unfortunately, we are unable to offer the functionality of the PhishAlarm button to those who aren’t employees. You will still see the PhishAlarm button, but if you try to use it you will get an unauthorized user notification.
The good news is, we have created a new email for reporting cybersecurity incidents, email@example.com. This new email will make it easier for the cybersecurity team to identify which reported emails are a priority and to respond quickly. While we won’t be ignoring emails sent to firstname.lastname@example.org, we are encouraging people to use email@example.com going forward.
With everyone working from home, our popular sticker program no longer worked. However, we have come up with a terrific replacement…digital stickers!
Just like before you can earn the stickers by reporting phishing emails. However you can also download them from the MRU Cybersecurity Hub. Instead of putting them on your electronic devices, we are asking people to add them to the end of their email signatures. Everytime you send out an email, the recipient will get a nice reminder of how to stay cybersafe.
As before, you can still earn contest entry codes for the Cybersecurity Challenge. However instead of sending me a picture of your sticker, just send me an email requesting a code with the sticker in the signature.
Every quarter there will be a new sticker and a new code! Happy collecting!!
Criminals are sending phishing emails that look surprisingly legitimate. They appear to come from apparently trustworthy senders, like “cisco@webex[.]com” and “meetings@webex[.]com.” They emails urge recipients to take an immediate action in order to fix a security vulnerability in their WebEx software. The emails look like this:
If you click on the Join button, it will take you to a page that asks for your login credentials. Of course the login page belongs to the criminals and will only steal your credentials.
If you receive an email asking you to update software, do not click the links in the email. Instead, start up the software and check for updates by selecting Help from its menu and selecting About. You can also visit the official website for the software and load updates from there.
If you haven’t completed your cybersecurity or PCI awareness training for 2020 yet, you might want to do that before the end of the month. We have a new training tool that we will be introducing July 1. As a result we will be losing access to our current training videos and interactive pre-tests on April 30.
To tide us over until the new tool is rolled out, on April 29 I will be uploading new videos with quizzes. However, you will not have the ability to test out of the video and it will take longer to complete the training. I apologize for the inconvenience, however you can look forward to more targeted training once the new tool is rolled out.
The good news is, you still have a few days to complete the current version of the training. If you have any questions , please feel free to contact me at firstname.lastname@example.org.
04/27/20 update: There has been some confusion around the security awareness training completion date. The deadline has not changed, you still have until June 30 to complete your mandatory training. The only difference is if you complete it before April 30, it will be easier.
We have been notified that cybercriminals have registered and are using the domain www.mroyalu.ca as well as several other look-a-like domains. They are attempting to fool people into visiting their malicious websites.
While working from home, it is very important that you double check all links that you receive in emails and the sender’s email address.
If the link does not have mtroyal.ca, mru.ca, mrucougars.com or mymru.ca before the first single / in the URL, it is malicious.
Examples of legitimate URLs are:
Examples of fraudulent URLs are:
Please do not let curiosity get the better of you, and attempt to visit any of these fraudulent websites. They will harm your machine and/or steal your data.
If the sender’s email address ends in anything other than @mtroyal.ca, then it is malicious.
Examples of legitimate email addresses are:
Examples of fraudulent email addresses are:
Please be extra cautious at this time.
Although Google Meet is a more secure platform than Zoom. It isn’t immune to meeting bombers. This week, an MRU employee had a rather disturbing and unfortunate experience with one of their Google meetings.
As the meeting organizer, they followed a registration process that had been established for their department’s meetings to ensure that all attendees were legitimate. However as this is a new platform and there are special circumstances that arise, they knew that there would be individuals signing in who would not be on the registration list. So when they received a request to join the meeting they were not concerned. That is until they attempted to verify the attendees identity and were rewarded with profanity.
The organizer of the meeting removed the trolling attendee. However there were several other attempts by this same individual to join the meeting again. In their brief time as an attendee, they had a grabbed a list of other attendees. They then impersonated one of them and repeatedly asked to join. The poor organizer had to keep asking the impersonated attendees if they were attempting to join using another email address. The whole incident was very disruptive. The organizer handled things very well but wanted to know how to prevent this from happening in the future.
There are a few things that you can do. First if you are using nicknames for your meeting, avoid using common meeting names. Team meeting, department meeting and math class are examples of nicknames to avoid. This prevents trolls from finding your meeting simply by entering nicknames that are commonly used. Second, if at all possible don’t post meeting links in a public location. Try to limit it to meeting invites if you can. Third, simply deny join requests. Join requests are only required if the attendee isn’t using a Mount Royal email account. Let your attendees know that they must use their Mount Royal email address to join your Google meetings and you will avoid this problem all together.
If however you are meeting with people outside of the Mount Royal community, then you will have to rely on the other two measures to keep trolls from bombing your meeting. If you are having meetings of this nature regularly, contact the IT Service Desk to see if another video conferencing solution is available for you to use.
With everyone working from home, video conferencing has gone from being a novelty to being a necessity. Many of you are working virtually for the first time. With new experiences come new challenges. Mistakes are being made, that is to be expected.
To help you make your video conferencing experience as safe as possible, I have found these terrific tips from SANS on how to keep your data safe and prevent accidental expose of sensitive information. With a little knowledge, you can become a video conferencing security expert. As always, feel free to share this information with your family, friends and colleagues.
Have you every opened an email and seen this?
This big yellow banner is a warning that Google has identified the email as coming from outside the Mount Royal network even though it has a Mount Royal email address. This happens when someone on campus is using a cloud based tool to send out communication emails or when someone is pretending to be a Mount Royal student or employee.
We whitelist the cloud based tools used on campus to avoid getting this error on legitimate emails. However, the developers of these tools like to change things once in a while without notice. If we aren’t able to adjust the whitelist in time, this banner will show up even if it isn’t malicious.
What do you do if this warning shows up on in email? Stop and take a closer look at the email. If you have seen the exact notification or newsletter before, then it is probably a whitelisting issue. If it is from a person, then it is probably malicious. Not sure, click the PhishAlarm button or forward it to email@example.com.
Every once in a while I get affirmation that all that I do to try and keep all of you safe is working. This was one of those weeks. I would like to take a moment to toot the horn of Credit Registration.
They receive hundreds of emails from students and prospective students every week. The majority of the time they have no idea who they are talking to. To reduce the chances they will be cyberattack victims, they have put procedures into place that somewhat verify the sender’s identity. It isn’t fool proof, but it is a good balance between practicality and security. What is truly wonderful is their staff follow their procedures.
This week those procedures were tested and they passed. Congratulations Credit Registration!