Information security is a daily concern in today’s work environment. Bad actors/hackers are continually attempting to access sensitive data and systems by impersonating “real employees” within an organization. Some of you may have received emails asking you to contact a senior staff member or purchase gift cards, and some VCCS agencies have seen emails requesting unauthorized changes to payroll direct deposit accounts.
On September 12th, the Information Security Shared Services (ISSS) team (Natalie Talbott & Brenda Bowling) launched the first of what will become on-going Phishing Campaigns. The use of phishing emails to infiltrate networks and steal sensitive data is increasing at an alarming rate. The goal of our internal campaigns is to educate employees at all levels on basic ways to identify phishing emails and raise awareness of cyber-attacks.
How the Campaign was Conducted
An email was sent from a false account (firstname.lastname@example.org) using a sender name Bobbie Sandle. The message indicated Dr. Sandel needed your assistance and to click here. There were several red flags in the email to include the misspelling of the sender’s name, the incorrect email address, and the contents of the message made no sense.
- Some users would view this message as suspicious and not click the link because of the false account, and report it to the Help Desk as phishing.
- Some users would trust the sender’s name and click.
- Some users on mobile devices where often the from email address cannot be viewed would click without checking for suspicious information.
- Some users would click because it looked like there was more to read.
Kudos to all who questioned the legitimacy of the email or reported it as phishing by the method above.
- The phish email was sent to 599 users. Note that some of you may have never seen it as our Junk Mail filter may have already caught it.
- Quite a lot of users called or emailed the Help Desk asking for guidance and/or reporting the emails as phishing attempts.
- 7 users clicked on the link.
- 6 users clicked from the desktop.
- 1 users clicked from an android mobile device.
Guidelines for Handling Suspicious Email
- If you receive a junk or phishing email in your Inbox, you should contact the VWCC Help Desk for verification before clicking.
- Check the address – is it familiar to you?
- Check the sender (From). Do you know that person?
- Check the content – does it make sense to you? Does it sound like something the person would write?
- Check the grammar in the email for obvious mistakes and misspellings.
- Hover over the link BEFORE you click – is it real?
- If in doubt – DON’T (click, enter credentials, etc.)
- Check the emails you send to make sure they don’t LOOK like spam.
While cyber threats and phishing attempts are becoming more sophisticated over time, please keep in mind that 95% of all cyber breaches involve human error. Thus, not clicking on various email links and deleting these emails or reporting them, as Phishing, immediately will go a long way in keeping the VCCS’s data safe from these types of threats!