Good afternoon!

In this edition of This Week’s Cybersecurity News, I want to tell you about a non-threat some of you may receive in your email. I also want to tell you about the latest twist on a phishing scam that mentions a paycheck adjustment, as well another old scam with a new look and a technical support scam. I have also included information about a new feature for RingCentral in Ask Your CISO.

Current Non-Threat

• Great Place to Work Survey (email)
  • The sender is UT System Communications and Marketing <utsystemnews@tennessee.edu>.
  • The subject is We Want to Hear from You!
  • The content shows that UT Human Resources will be sending out the Great Place to Work Survey to a random sampling of 5,000 across the UT System.
  • The content also says that the random sampling of 5,000 surveys will be sent from July 18 – August 1.
  • The message does a good job of explaining the upcoming survey.
  • The message is signed by Brian Dickens, Chief Human Resources Officer.
  • If you have received this email, it is legitimate.
  • Please keep this in mind if you do receive the survey in the next two weeks.

Current Threats

• Paycheck Adjustment (phishing email)
  • The sender appears to be a current UT employee.
  • The subject is Faculty Evaluation.
  • The actual content shows that the supposed sender is adding you as a viewer and is asking you to review the attachment.
  • The attachment is a Word document named “July Departmental Paycheck Adjustment Form.docx”.
  • PLEASE DO NOT OPEN THE ATTACHMENT!
  • Please note that the subject and attachment have nothing to do with each other.
  • Please note that the sender is most likely from a department that is not yours.
  • These emails are NOT legitimate.
  • This email is very similar to last week’s Google Drive scam, but this one is sending you an attachment instead of a link.
  • I contacted the supposed sender, who had gotten a call about this from a recipient and immediately contacted the OIT HelpDesk.
  • OIT has likely pulled these emails back out of UT users’ email, so I think this was stopped very quickly thanks to the people who let me know about it and the supposed sender contacting OIT so quickly.
  • This one, again, is concerning to me because of the timing since potential annual salary adjustments are usually done in July.
  • Salary adjustments may vary from department to department, but they will not be shared in a method such as this one.
  • If you receive an email like this, or any other suspicious email, please report it using the Reporting Phishing Attempts instructions.

• Quota Limit (phishing email)
  • The sender appears to be Patel, Deep K., with a student email address.
  • Patel actually was a UTK student, but left UT in July 2022.
  • The subject is IT-Desk: Mailbox Is Full- Incident #812241212-New-Messages May Return.
  • The content says that you have exceeded your quota limit and says to see the attachment for a reset to avoid restrictions.
  • The email is signed “IT Desk” and The University of Tennessee, Knoxville.
  • UTK’s Office of Innovative Technologies uses “OIT HelpDesk” and not IT Desk.
  • If you receive an email like this, or any other suspicious email, please report it using the Reporting Phishing Attempts instructions.

• Gift Card Text (smishing)
  • Text messages are being sent to departmental employees and claim to be from a co-worker.
  • The phone number being used is a Florida phone number, not the actual co-worker’s number, so it was quickly noticed as a scam.
  • The text message asked the recipients to purchase Apple gift cards and send the codes back via text.
  • I suspect that the phone numbers were taken from information found online, such as directories, social media, etc.
  • If you receive such a text message, please do not respond and delete it right away.

• Technical Support Scam (popup)
  • This is a scam that has been around for years, but I don’t hear much about anymore.
  • At some point while using a browser, a popup window will appear on your screen.
  • The popup shows a spyware alert and gives a phone number to call for Windows support.
  • UTIA uses Microsoft Defender, which is built into the operating system, so you can rest assured that if you had a virus or malware that has been detected, you will be notified via Defender.
  • Microsoft never uses a popup to inform you that some kind of malware has been detected and Microsoft definitely never uses something to direct you to click on a button and has a phone number.
  • While the phone number makes it seem official or real, things are not always what they seem.
  • If the number is called, it often flags the person as a target for future scams.
  • If you get a popup like this, please do not click on anything, including the “X” in the upper-right corner, as clicking may start the installation of malware or ransomware.
  • If you clicked on something, please call me right away before proceeding.
  • Save any files that you may be working on, then use Ctrl+Alt+Delete and click the power button in the lower-left corner to restart your computer.
  • After the restart, your system should return to normal.

Ask Your CISO

• I received an email with an odd voice mail message. Can we eliminate these kinds of calls?
  • The message was a voice mail in RingCentral.
  • The call appeared to be from someone named Allen Marzella with a phone number in the 865 area code, and the person leaving the message said his name was “Lord Gibt Benjamin Allen” (at least that is what the transcription provided).
  • The message was very strange, but the point was that the caller was looking for “some kind of way to make some finances”.
  • Unfortunately, there is no way to completely stop voice mail messages, whether odd or unwanted.
  • Often the caller will spoof a real phone number so they cannot be tracked.
  • Since this call was through RingCentral, though, they have a new feature available to those of us using this service.
    • RingCentral has allowed you to block callers in the past, but now you can Block & Report.
    • Blocking the number isn’t always helpful because of the possibility of spoofing, but reporting through RingCentral may be a better option.
    • Just go to the call listing or the message and hover over the date and timestamp.
    • Click on the three dots on the far right, then click “More” and “Block and report spam.”
    • Make sure you choose to block AND report when that window pops up, and this can be done for both phone calls and text messages left via RingCentral.
    • I don’t know how well it will work, but it is a hopeful option.
  • Please remember that RingCentral isn’t used by everyone at this time, but if you are using it (on the Knoxville campus), try this and see if it will help.

Thank you all so much for all you do to protect the Institute and its data. I can’t express my thanks enough to all those who so quickly notify me when a new scam is being sent. Please remember that you can always let me know when you have any questions or concerns when it comes to IT security.

Have a great rest of the week!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is and I can include it. I do this as a blind copy so student names and addresses will not show up!