This Week’s Cybersecurity News, 10/16/2024

Share on

Good morning to everyone.

For week three of Cybersecurity Awareness Month I want to share some information and tips about phishing emails. These emails make it to so many inboxes on a daily basis and it is often hard to determine whether or not they are legitimate.

Phishing Tips

  • Phishing emails are created by cybercriminals in an attempt to get something from the recipient.
  • The “something” the criminals want is your personal information, like social security numbers, driver’s license numbers, financial information, passwords, etc.
  • The criminals may also include malicious links or attachments that can lead to the installation of keyloggers or malware on your computer, but the links could also take you to fake websites that look so close to the real thing they cause the victim to divulge personal information thinking everything is legit.
  • The criminals do a fair amount of research, too.
  • They visit social media sites, websites, and any other online presence to learn who’s who in an organization so they can pretend to be someone the victim would trust.
  • You can avoid falling for these scams by following these simple tips.
    • Recognize the signs of a phishing attempt.
      • Does the email stress urgency on your part to react or leave you feeling that you will face consequences if you don’t respond immediately?
      • Does the email ask you to send personal and/or financial information?
      • Does the email use unusual or untrusted shortened URLs?
      • Does the email contain a lot of inconsistencies, misspelled words, bad formatting, typos in addresses or links?
    • Resist taking action, such as clicking or responding.
      • If you aren’t expecting an email from the Dean or Department Head asking you to reply (not call!) and it looks like you are the only person who got it, it was almost certainly sent using the blind copy function, which means lots of others received it as well.
      • Think about the logic of the email and if it doesn’t make sense that a company you have never heard of is sending you an invoice, then it is probably a phishing attempt.
      • Check the sender’s name and the email address and if it doesn’t make sense then it is a phishing attempt.
    • Report the phishing attempt.
      • You can forward any suspicious email to me and I will investigate.
      • UTK’s OIT is now saying that you can use the “Report Message” or “Report” button in the Outlook Ribbon to report junk and phishing.
      • Until recently that button only reported to Microsoft, but OIT says it also reports to Abuse now.
      • I still request that you forward suspicious messages to me before you click this button, as this is my number one way to know what current threats are out there and I use that information to inform the Institute.
    • Delete the email.
      • Reporting definitely helps inform others of a threat, but if you choose not to report you can delete the message, then empty your Deleted Items.
      • Don’t click on any attachment or link.
      • Don’t reply.
      • And *please* don’t click “unsubscribe” as this may be a malicious link, but at the very least it definitely verifies your email address and it will likely be used for future scams.
  • You can read more about phishing by going to the UTIAsecurity Knowledge Base for Phishing.
  • Since there are other similar types of scams, you can also find more information about Spear Phishing, Smishing, and Vishing at the UTIAsecurity Knowledge Base.

          Important Reminders

          • IT Security Awareness Training
            • If you have been assigned training, this is a reminder to complete that training before the end of the year.
            • The IT Security Awareness training is required of all UTIA workforce, which includes student employees, on an annual basis.
            • The IT Security Awareness training is part of the 2024-2025 UTK Compliance training, as assigned by UTK HR.
            • Assignment and reminder emails will come from the UTK Compliance Committee noreply[@]utk.edu, but I will start sending specific reminders about the IT Security Awareness training later this month.
            • As in the past, any user not completing the IT Security Awareness module by the deadline will still lose access to all Institute-owned and University-owned systems until the training has been completed.
            • If you have been assigned this training, you can find it by logging into K@TE https://kate.tennessee.edu and it will be listed under “My Active Courses”.
            • This newsletter goes out to those on the UTIA distribution list, along with some other specific distribution lists, so it is possible you do not have training assigned, but if you aren’t sure, please send me an email and I will look for you.
            • While the deadline has been set for 12/31/2024, I highly recommend that you complete it before then to ensure you get the proper credit due to DASH implementation happening at the first of the year.
          • PCI Training
            • If you have received emails from me that you are required to take Payment Card Industry (PCI) training in order to be compliant with PCI DSS Requirement 12.6, please make sure you have completed that training no later than 10/31/2024.
            • This training is required for any merchant staff member who has any part of processing credit card payments.
            • This training is not the same as the IT Security Awareness, Procurement Card, or Travel Card trainings, as each of these touches on something specific and none are related.
            • If you have any questions about the PCI training, please email me.

          Thank you so much for everything you do to protect the Institute and its data. I appreciate the time and effort everyone puts into making sure we stay safe!

          Sandy

          Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is, and I can include it. I do this as a blind copy so student names and addresses will not show up!