When you think of the targets of cyber crime, educational institutions don’t always make the top of the list. In this 3-part webinar series, Tim Hohman and Bruce Ward explained why schools not only should, but NEED to start being proactive with their cyber security practices.
Part 2: The Grim Reality of Phishing
On October 24th, Tim and Bruce discussed three key things to consider when discussing the relationship of cyber security and education. Specifically focusing on the scourge of phishing attacks in education. Below we will define, identify, and outline risks associated with phishing attacks.
If you would like to learn about the anatomy of business email compromise, scroll to the bottom of this blog and watch the full-length recap!
What is a phishing email?
The FBI defines a phishing attack as this:
It is the act of sending an e-mail falsely claiming to be an established legitimate business in an attempt to deceive the unsuspecting recipient into divulging personal, sensitive information such as passwords, credit card numbers, and bank account information after directing the user to visit a specified website. The website, however, is not genuine and was set up only as an attempt to steal the user’s information.
Identifying a Phish-ey Email
In order to spot a phishing attempt, you can almost exclusively rely on your “gut feeling.” BUT cyber security best practices highly advise having a little more knowledge. When dissecting an email there are six things to look out for:
- Domain Spoofing – ALWAYS check the domain, there a few sneaky tricks that hackers use to alter the domain to look like a trusted source. Many of these tricks include adding an extra “i” or using an “r” and an “n” to look like an “m”. Check out the example below for more:
- Urgency – Another telltale sign is if the email is creating an unrealistic sense of urgency. This is likely a phishing email. Key phrases to look for are: “Act Now” or “Action Required.”
- Promise to attractive offer – Have you ever received an email with an “exclusive offer” inside? Most of the time those are annoying promotional emails from those brands you love so much. But what about those, “Click to Claim Your Reward!”? THOSE are definitely examples of phishing emails.
- Request for confidential information – Another aspect of a phishing email is one that looks like a superior officer or HR is looking to collect information. Most people don’t think twice about it and hand their private information to the hacker on a silver platter.
- Unexpected – Similar to Urgency, the most common form we see is the impersonation of CEOs, Superintendents, or any high-ranking professionals. They send emails to their victims asking for payments in the form of gift cards or important documentation. The victim, stops and thinks “oh this is weird, but it’s from my boss so I won’t question it” and sends it over. BOOM, another scam completed.
- Suspicious Attachments – OK, so you got an email and you checked areas 1-5 and it seems legitimate. You have one final caveat, attachments. You get an email from your co-work who has been working on a project and wants your feedback. Attached to this email is a PDF of the project. Obviously, you want to help so you click, well now you have opened the gateway for hackers to get into your network. How? Embedded in these attachments are malware and ransomware codes. Check out the recap from our October 17th webinar, “The Ransomware Curse,” to learn more.
Risks: Whats hanging in the balance?
There are four main risks associated with a phishing breach: Individual Records, Compromised Credentials, Data Loss, and Ransomware. Here are examples of each as they relate to cyber security and education:
- Individual Records – When faced with the potential of a falling for a phishing scam, you risk your personal data. Data such as credit card information, bank information, social security number, medical records, etc. In schools, this can be student, faculty, and staff personal information.
- Compromised Credentials – Once hackers get a hold of your credentials, it leaves your whole school open for threats. Hackers can use your information to impersonate you to gather other sensitive information such as student data. (see: 2. “urgency” or 5. “unexpected” above).
- Data Loss – Hackers are looking for one of two things data or money. Data loss is more likely the initial repercussion of a phishing attack. When breached, it’s easiest for hackers to lock up documents and files before you know they have infiltrated your system. When targeting education institutions, hackers are usually looking for banking information, a high-ranking professional’s credentials, or even medical records.
- Ransomware – Piggy-backing off of data loss is ransomware. Usually going hand-in-hand, once the data is locked up, ransomware kicks in and asks for that money honey. Ransomware can be downloaded via attachments or links. Ransomware can and will prevent classroom activity and disrupt pay. Make sure you have a plan!
Learn HOW to prevent an attack by watching the full-length webinar below!
Tune in next week where we’ll equip you with the knowledge to build your own action plan. Register here!
Check out the slide deck here.
Not sure where to start? Call us at 630.832.0075. We’re here to help! Or if you prefer to email, you can reach us at firstname.lastname@example.org, and someone will reach out to answer your questions.