We are now in week three of Cybersecurity Awareness Month. Since I don’t have any major threats and updates to report on, I think it is the perfect time to remind you of the things you should watch for on a daily basis.

Phishing (email)

• Phishing is a method of attack where the attacker sends a fraudulent email designed to trick the recipient into giving sensitive information.
• The message often looks like it is from a reputable company (e.g., Amazon, Norton, Wells Fargo, etc.).
• The message may include information about an order or an invoice and includes the cost.
• If the message includes a link, don’t click it as it will likely take you to a fake site asking for information such as a credit card to verify the charges.
• If there is no link, the attacker gives a phone number so you can call and dispute the charges.
• If you call the number in the email, it is a fake number.
• You will be asked to give your credit card number to verify the charges, but the attacker is really writing down the card number, the expiration date, the CVV, and the name as it appears on the card.
• If you give this information, this is all the attacker needs to be able to use the credit card anywhere, as well as to sell this information for someone else to use.
• Notice the invoice will likely have someone else’s name on it.
  • If it does, then why are YOU getting the invoice?
  • If someone stole your credit card information, they won’t put their own name on the order with all of your sensitive data!
• If you are seriously concerned, call the *known* phone number for customer service for that company that is supposedly sending the email.
  • Tell them what has happened and have them check their records for such an order.
  • Do not give them your credit card data, either, as they won’t need it to check for the order.
• Do not reply to the email!
• Do NOT click any links or open any attachments in emails you are not expecting, as these are often full of malware, such as keyloggers and ransomware to name a couple of the worst.
• Once it has been determined this is a phishing attempt, forward the email and its Internet header using the Reporting Phishing Attempts instructions.

Spear Phishing or Business Email Compromise (email)

• We have seen tons of these over the last three or four years!
• The email is short and appears to have come from your boss or someone else in a leadership position at the Institute.
• The message usually asks you to send your cell phone number so the sender can send you a text and ask for a quick favor.
• While the sender appears to be your boss or leader, check the Reply to address and it will likely end in @gmail.com or some other personal account domain.
• If you send your phone number, you will get a response saying the sender needs you to go purchase some gift cards and send the numbers and codes back to the sender ASAP because they make it very clear they are too busy to do it and too busy for a phone call.
• No one at the Institute, or University, will (or should) ask you to do this!
• The goal of the attacker is to catch you off guard and get you to send them gift cards, which is free money for them, but a loss for you.
• Keep in mind that this kind of attack does not affect anyone but the person who spends their own money.
• This kind of attack is not representative of a compromised account (regardless of how “Business Email Compromise” sounds), as your boss’s account was not used to send the email!
• This kind of attack is orchestrated by using information from social media, websites, and org charts found online.
• Once it has been determined this is a spear phishing attempt, forward the email and its Internet header using the Reporting Phishing Attempts instructions.

Vishing (voice mail)

• Cybercriminals use voice mail to do the same things as a phishing email attack…steal sensitive information.
• A voice mail message is sent via email.
• If you are using RingCentral for your UT phone, any legitimate voice mail will go through the RingCentral app.
• If you are using anything else for your UT phone, a legitimate voice mail will look like what your normal voice mail messages sent via email look like.
• Voice mails set up through UT phone systems do not change in appearance depending on the caller.
• Remember that the voice mail being sent via email is a setup by the phone carrier.
• Once it has been determined this is a vishing attempt, forward the email and its Internet header using the Reporting Phishing Attempts instructions.

Smishing (text message)

• Cybercriminals use text message to do the same things as a phishing email…steal sensitive information.
• The text message appears to be from a reputable company (e.g., Verizon, AT&T, etc.).
• The links in these fraudulent text messages often contain malware that is installed in the background by clicking on the link.
• The malware may be a keylogger, a virus, ransomware, or other harmful software.
• If you receive a text message saying that you have been chosen to win a $x gift card, please don’t click on the link!
• Other known fraudulent text messages can look like you have been notified that your bank or credit card account has been compromised, your password must be reset, etc.
• Unfortunately, these texts cannot be forwarded to OIT Abuse like the three previously mentioned attacks, but you can report these using the resources below.

Reporting Cybercrime

If you believe you have been a victim of cybercrime, it is important that you report it as soon as possible. There are several resources for reporting and when you report, you are helping make the Internet safer for everyone.

• UTIA Chief Information Security Officer
  • If your Institute-owned IT asset(s) has been involved, please contact me right away.
  • We are required by the State and our cyber insurance provider to follow certain procedures.
  • Email me (sandy@tennessee.edu) as much information as possible, but do not include sensitive data.
  • Call me at (865) 806-5224, at any time, and I will help you.
• US-CERT.gov
  • www.us-cert.gov
• FTC.gov
  • www.ftc.gov/complaint
  • www.IdentityTheft.gov
• IC3.gov
  • www.ic3.gov
• SSA.gov
  • http://oig.ssa.gov/report-fraud-waste-or-abuse
• Your local law enforcement office

I want to thank you for everything you do every single day to protect the Institute and its data. I really appreciate you forwarding emails to me asking about their validity. This keeps me aware of what threats are out there and it often helps me know what information I should include in these newsletters. Please remember if you need me you can email or call me at any time. And please share information with peers, clients, students, and family.

Have a great rest of the week!

Sandy