VWCC PhishTrain Summary Report

Information security is a daily concern in today’s work environment.  Bad actors/hackers are continually attempting to access sensitive data and systems by impersonating “real employees” within an organization.   Some of you may have received emails asking you to contact a senior staff member or purchase gift cards, and some VCCS agencies have seen emails requesting unauthorized changes to payroll direct deposit accounts.

On September 12th, the Information Security Shared Services (ISSS) team (Natalie Talbott & Brenda Bowling) launched the first of what will become on-going Phishing Campaigns.  The use of phishing emails to infiltrate networks and steal sensitive data is increasing at an alarming rate. The goal of our internal campaigns is to educate employees at all levels on basic ways to identify phishing emails and raise awareness of cyber-attacks.

How the Campaign was Conducted

An email was sent from a false account (rsandel@vwcc.edu) using a sender name Bobbie Sandle.  The message indicated Dr. Sandel needed your assistance and to click here.  There were several red flags in the email to include the misspelling of the sender’s name, the incorrect email address, and the contents of the message made no sense.

Expected Results

  • Some users would view this message as suspicious and not click the link because of the false account, and report it to the Help Desk as phishing.
  • Some users would trust the sender’s name and click.
  • Some users on mobile devices where often the from email address cannot be viewed would click without checking for suspicious information.
  • Some users would click because it looked like there was more to read.
Kudos to all who questioned the legitimacy of the email or reported it as phishing by the method above.
  • The phish email was sent to 599 users.  Note that some of you may have never seen it as our Junk Mail filter may have already caught it.
  • Quite a lot of users called or emailed the Help Desk asking for guidance and/or reporting the emails as phishing attempts.
  • 7 users clicked on the link.
  • 6 users clicked from the desktop.
  • 1 users clicked from an android mobile device.

Guidelines for Handling Suspicious Email

  • If you receive a junk or phishing email in your Inbox, you should contact the VWCC Help Desk for verification before clicking.
  • Check the address – is it familiar to you?
  • Check the sender (From).  Do you know that person?
  • Check the content – does it make sense to you? Does it sound like something the person would write?
  • Check the grammar in the email for obvious mistakes and misspellings.
  • Hover over the link BEFORE you click – is it real?
  • If in doubt – DON’T (click, enter credentials, etc.)
  • Check the emails you send to make sure they don’t LOOK like spam.

While cyber threats and phishing attempts are becoming more sophisticated over time, please keep in mind that 95% of all cyber breaches involve human error. Thus, not clicking on various email links and deleting these emails or reporting them, as Phishing, immediately will go a long way in keeping the VCCS’s data safe from these types of threats!

If you have any questions, please contact Natalie (ntalbott@vccs.edu), Brenda (bbowling@vccs.edu) or Shivaji Samanta (ssamanta@virginiawestern.edu)!

Password Security & Tips

VWCC faculty, staff, and administrators have both VWCC and VCCS (MyVWCC) accounts to access a variety of systems. You are responsible for your VWCC and VCCS accounts and anything that happens with your account. Make sure your passwords are secure, so your accounts cannot be used for nefarious purposes.

Once you have established a secure password, keep your password secret. Do not share your password with others. Do not write down your password and keep it near the computer.

Password Tips

  • Always immediately change default passwords.
  • Do not use simple, obvious, or predictable passwords.
  • Include at least one number, preferably not at the end.
  • Use a varying combination of upper- and lowercase letters.
  • Do not use spaces.
  • Do not use names or nicknames of people, pets, places, or personal information that can easily be found out, such as your address, birthday, or hobbies.
  • Create passwords that are easy to remember but hard to guess.
  • Do not write your passwords down or post them to your computer monitor.
  • Never share your passwords with others.
  • Change your passwords regularly.

VWCC Password Requirements

VWCC passwords must be changed every 90 days. You will receive a reminder in your email, and when you log on to your computer.

Passwords:

  • Must not contain all or part of the user’s account username.
  • Must be at least 8 characters in length.
  • Must contain characters from 3 of the following 4 categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Base 10 digits (0 through 9).
    • Non-alphanumeric characters (e.g. !` ~ ! @ # $ % & ^ * ( ) _ + { } [ ] – \ / ? : ,).
  • Should not be real words, family names, or place names.

VCCS (MyVWCC) Password Requirements

VCCS passwords must be changed on a regular basis. You will be notified upon login when your password has expired.

Passwords:

  • Must not contain all or part of the user’s account username.
  • Must be at least 8 characters in length but not more than 32.
  • Must contain at least one English uppercase letter (A through Z).
  • Must contain at least one English lowercase letter (a through z).
  • Must contain at least one number (0-9).
  • Must contain at least one special character (e.g. !` ~ ! @ # $ % & ^ * ( ) _ + { } [ ] – \ / ? : ,).
  • Should not contain family names or place names.

Security Awareness and FERPA Education

The state of Virginia requires that all employees participate in IT security awareness training every year. Virginia Western has partnered with VCCS Information Security Shared Services (ISSS) to provide a consistent security management and reporting framework at the college.

Are you aware the majority of security breaches occur because of human error? Security awareness education arms you with habits and knowledge that will keep our students, our organization, and us safe. Learn how to recognize and respond to a phishing email, avoid downloading malicious code from the Web, keep your social media posts secure, and more.

Virginia Western is using the KnowBe4 Security Awareness Training application for all full-time and adjunct faculty, full-time staff, and administrators. The training is completed online and a certificate of completion is awarded when all videos/courses have been successfully completed. Trainings on FERPA and PCI (if applicable) are also required.

This training is required annually. You will receive an email when your training is due, and will have 30 days to complete it. That email will also contain login instructions.

Any questions? Contact Security Awareness Education Help at SAEHelp@vccs.edu.