Over the course of the 2019 Fall Semester, APSU has been the target for a series of Phishing attempts.
As a result, APSU’s IT department and the Distance Education Support department have come together to present Catching Phish 101, a lecture part of the Distance Education Support’s Lecture Series.
The Catching Phish 101 lecture was led by Stephanie Taylor, Director of Information Technology Security, on October 18, 2019. She was joined by David Roach, I.T. Security Analyst for APSU.
“We [Taylor and Roach] are on the frontlines, defending APSU from cyber attacks and phishing attempts,” Taylor said.
Phishing: Defined
Phishing.org defines phishing as, “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details and passwords.”
“Phishing and credential-stealing combined are the number one causes of data breaches,” Taylor said.
There are three very specific kinds of Phishing that many scammers employ in their attempts: mass-scale phishing, spear-phishing and whaling.
Mass scale phishing is the most common of the three. Scammers create a generic email, most likely entailing a link to a phony site, that will attempt to steal your credentials.
Spear phishing is tailored to a specific victim or group. It can come across as a friend or professor, asking for money or gift cards.
Whaling phishing is where a scammer targets a high-profile target, in order to steal vital information from a target company or group.
Taylor has confirmed reports of Mass Scale Phishing, and Spear Phishing, but has not seen any sort of whaling at the time of lecture.
Phishing: The Danger
Phishing Scammers can use the information you give them in order to access a plethora of different accounts and personal information.
“They might want money, bank access, critical files or login credentials. The list goes on,” Taylor said. “They could even dismantle an entire organization, using ransomware.”
“Students have been a large target this year, including where some students put in their social security numbers,” Taylor admitted. “Phishing is scary, and dangerous.”
Phishing: How to Protect Yourself
“Email is not the only way to get phished,” Taylor said. “There is smishing and vishing. Vishing is phishing via phone call, and smishing is via text.”
According to Taylor, nearly 900,000 phishing attacks were reported between April 2018 and March 2019.
“The key is to look for things that look fishy. Is it playing with your emotions, such as giving you an ultimatum? ‘Do this, or I’ll do this,” Taylor explained.
Emails can be debunked by paying close attention to the sender. “Is the email coming from where they claim to be coming from,” Taylor said.
“You [students] are our best line of defense,” Taylor said. “Slow down, check carefully, and verify, verify, verify.”
“If you think it might be a phishing attempt, but you’re not sure, sending it to me,” Taylor said. “I’m kind of like the guinea pig, clicking on it to see what happens.”
Phishing: The Takeaway
The I.T. Department is discovering ways to defend against these phishing scams, but nothing is 100% foolproof.
“Remember: no security technology is 100%,” Taylor said.
Starting soon, a Multi-Factor Authenticator is going to be required by many faculty and staff.
A Multi-Factor Authenticator is something in addition to your login credentials. Think fingerprint, facial recognition or a security question.
Taylor assures that faculty should only have to follow this step once. “It should be a one and done kind of thing.”
Multi-Factor Authentication is expected to be provided to students early next year.