Fall Security Update: October, Cybersecurity Awareness, and Phishing

with David McMorries, OSU’s Chief Information Security Officer

As I’m writing this, the rain is back — yay! October in Oregon should have some moisture in it; it has felt like a very long August at times! October is also Cybersecurity Awareness month; a month set aside by Presidential Proclamation which reflects on how serious cyber threats have become over time. October is a great time to consider what we can do to protect the OSU community and, of course, our personal lives from cyber threats. Easy things to do are to make sure we update and patch our computers and mobile devices, use multifactor authentication at home and at work, and be aware of cyber scams and attacks such as phishing attacks.

Make no mistake — phishes are attacks and are a crime. The OSU community is targeted by thousands of these attacks every week, and some people fall victim to them. Here is an example phish that we recently saw on campus, targeting students:

“A student was recently caught in a phishing scam where she received an email seemingly from a professor asking her if she wanted to participate in a research project. She was asked to purchase some gift cards and was told she would be reimbursed. Over the course of a couple of weeks, the student contributed $3,000 to the scam, believing it was for a research project.”

Students are targeted particularly with employment scams. No OSU faculty member will EVER send out unsolicited job offers to students. No OSU employee will EVER ask a student to buy gift cards or send a check directly to a student. These are scams and the criminals behind them are trying to swindle students out of hard-earned money.

So what to do? Read every e-mail critically. Are there signs that caution should be exercised? If an email seems to be from someone at OSU, is the email an oregonstate.edu address or something from gmail.com? Does the email have the external site warning? Is the email attempting to make you move quickly or make it seem like there is something available only for a short time? If you hover over links (do not click!), do you see email addresses or links that do not seem right? If you see one or more of these signs, it is likely a phish.

You can report phishing to the Office of Information Security using the “report a message” feature in Outlook, Outlook Web Access, and Outlook Mobile App, or you can forward a suspicious email to phishing@oregonstate.edu. If you fall victim to a cyber criminal and have lost money, you should contact law enforcement and file a report. If you want to learn more, Marjorie McLagan gives a thorough and comprehensive presentation on what to look out for in phishes.

Learn more! Here is a list of six common phishing attacks and the keys to spotting them.

Think you know how to spot the phish? Take this quiz from Google and see how well you can spot a phish versus a genuine email.