Good morning.

As you may recall, spear phishing emails tend to be very cyclical and often come in large amounts within a short period of time. Today I want to tell you about the latest one that hit countless email boxes across UT yesterday. I will also give you important information about spear phishing that you don’t want to forget. And I want to remind you about this year’s security awareness training.

Current Threats

• Urgent Request (spear phishing emails)
  • We have had several variations of these emails in the past several days and I had MANY reports just yesterday afternoon.
  • One appears to be coming from our Senior Vice Chancellor and Senior Vice President.
  • However, the sender’s address is using “@gmail.com” and doesn’t even have a name that comes close!
  • The typical subject for the numerous emails sent yesterday was Send me your available text number.
  • This email may or may not have content, as though the supposed sender was in too much of a rush to say anything else, which scammers hope will cause recipients to act before they think things through.
  • This same spear phishing attempt was sent to many others throughout the UT System, but the emails were tailored to appear to be coming from each recipient’s own leadership.
  • This kind of email would not happen because it is against UT policy to send anything work-related from a non-UT email.
  • Our leadership would also never ask you to go purchase gift cards on their behalf and tell you that they will pay you back later.
  • Please report this kind of email by forwarding the email and its Internet header using Reporting Phishing Attempts.

Important Information to Remember about Spear Phishing

• Spear phishing is a targeted attack on one or more potential victims.
• No matter how many potential victims are being targeted, the attack seeks to make each potential victim feel as though they are the only person being asked to do a “favor” for someone in charge.
• These messages are sent in bulk, but use the blind-copy function so only your own address shows up as the recipient.
• Spear phishing scammers use social engineering to determine who to target.
• Most information gathered by scammers is taken from online accounts, whether it be websites, social media, or other ways that knowledge is shared with others.
• Websites can give scammers important facts like organizational structure and who reports to whom.
• Websites can show upcoming events and other details scammers may use for targeting specific potential victims.
• Social media is a great way to share great news, but scammers have access to the same information that your friends and relatives have, unless your profile is set as private.
• However, setting your profile as private won’t help if someone who does have access shares your information with others through their own accounts.
• Even things like “away” messages in email can be used to scout potential victims, so instead of saying where you may be when you are out of the office, just keep it as generic as you can and don’t share specifics.
• While we can’t, and shouldn’t, hide everything we do and everywhere we are, please be conscious of what information you are sharing online.
• If you receive a very brief message asking you to ‘only reply to this email’ or ‘email me your text number,’ please take a deep breath and check the sender’s email address.
• If it is not a UT email address, that’s all you need to see to know it is a scam (remember our policies!).
• If it is a UT email address, but you even slightly think it seems suspicious, pick up the phone and call the supposed sender at a number you know.
• And just because it is a UT email address does not take away the possibility that the address has been spoofed.
• Or, instead of calling the supposed sender, forward the suspicious message to me and I will be happy to check it out for you.
• When you let me know about these messages, it allows me put things into motion to start taking care of the problem.
• And finally, trust your instincts and listen that little voice in your head telling you to be cautious!

Required Security Awareness Training Reminder

• Please don’t forget that there were changes to the way we are doing this year’s annual required security awareness training.
• The training was assigned on September 13.
• The training will be due by December 30.
• In an effort to streamline the two sets of required training, security awareness and compliance, these have been bundled into one “assignment” with one due date, instead of security awareness being a separate assignment.
• The overall training assignment should take about 2-1/2 hours, but you can see your status any time you log into K@TE <https://kate.tennessee.edu>.
• The assignment and reminder emails are automated and will come from the Annual Compliance Team.
• Any user not completing the security awareness module by the deadline will still lose access to all Institute-owned and University-owned systems until the training has been completed.
• If you have any questions or concerns, please don’t hesitate to let me know.

I can’t thank you everyone who forwards those scam emails to me, like the one yesterday afternoon. It makes me know that you are very security-aware and that makes me very happy. And sorry if I didn’t reply to each of you yesterday. I was in meetings all afternoon and my biggest concern was making sure that OIT was aware of the threat so they could get the Exchange administrators to pull the email from recipients’ mailboxes and to prevent others from coming through. And if you ever have an urgent situation and I don’t respond quickly enough to your email, please call my cell phone and leave me a message, or send me a text, if I am unable to answer. I promise that I will get back with you as soon as I possibly can.

Thanks so much for all you do!

Sandy