February: Phish or Cut Bait

Phish or Cut Bait

Why do we belabor the phishing thing? Is the risk of social engineering just a bedtime bogeyman used by pestiferous IT personnel to rattle up some good ole’ fashioned paranoia? Before we recommence our campus phish training, let’s talk about the truth of the matter: Exactly how wary do we need to be?

Social Engineering attempts are happening regularly. SecureList estimates that 7-9% of U.S. computer users were affected by phishing attacks in 2016 (and by “affected”, they mean pretty much the same thing our phish training does -  a user clicked the malicious link or attachment). That’s a very high success rate for scammers. Who wouldn’t buy a lotto ticket for a one-in-ten chance to win (Or lose? It’s a muddled metaphor, but you get the point).

Social Engineering tactics are sophisticated and successful. Spearphishing is on the rise, with personalized emails that look perfectly legit (unlike the old “Nigerian letter scams”) and point to faux websites that look exactly like our trusted login destinations (right down to that green lock icon we keep telling you to look for). The average cost to an organization caught by spearphishing is $1.6 million (Barkley.com).

So, how wary should we be? There’s no need to bury our computers in the backyard, but it’s definitely smart to have our antennae up while we’re online. Still not convinced? In the immortal words of Reading Rainbow’s Levar Burton, “you don’t have to take my word for it”.  A few of these reads are a bit long, but make for an useful skim, regardless:

Email phish are here to stay for a while. So, we better be on top of our game in sniffing out the stinkers and chucking the bad ones back -- or at least into the trash. Our 2017 phish training exercises will help you master the art of the nose.

Taking Control of Passwords: Understanding Password Strength

Last month, we invited you to join us in the first step toward getting a handle on your passwords by starting a list of the sites you encounter where you’ve got an account registered. For the next step, we’ll keep on keeping on with that while we take a moment to consider general wisdom regarding password production and poaching.

Generally, passwords get compromised in one of three ways:

  1. They get stolen, as in a data breach or someone swiping the post-it note off your monitor (changing passwords on some regular interval ensures a stolen password isn’t “active” forever, especially if we don’t notice right away)

  2. They get cracked, as in a hacker’s automated password-hacking code slogs through combination after combination until it hacks your password (which is where complexity and length comes in, as you’ll see below)

  3. They get shared, as in handed over willingly to a friendly email or phone scammer (if you ever suspect this has happened, contact UDit for advice)

For now, let’s zero in on number two, cracking passwords. Recognizing that different services have different requirements for length and complexity (e.g. number of characters, inclusion of super special characters, etc. etc. etc.), keep the following in mind:

  1. Longer is better. Password strength is like an algebra class word problem: “If a password is 8 characters long and must have at least one alpha and one numeric character, how many different passwords are possible?” We won’t make you do that math (we won’t make *us* do that math, either), but every extra character added to your password increases the number of possible passwords exponentially.

  1. Random is good, too. Some services (like your debit PIN number) require a shorter password. If you can’t go long, go crazy. Avoid the obvious choices for a four-digit number (like a year). And those password-cracking tools hackers use? They often include dictionary entries. So using a fully intact common word or phrase isn’t a great idea, either.

A Special Note to the Flyer Faithful: If a hacker were going to guess a UD employee or alum’s password, they’d likely start with the obvious - “GoFlyers” or “RudyUD”. If you’ve ever wondered, that’s why UD-related terminology is disallowed in our passwords. (But it doesn’t explain why you can’t use MerleHaggard; send us your guess for that one and we’ll send you some swag.)

We’re all aware of the quandary here - make a password that’s long and complicated enough to be secure (or “strong”, in common password parlance) but not so impenetrable that we can’t remember or type it. We’ll come back to that in March.

But here’s our action item for February: Experiment with password strength. Visit the Kaspersky password checker and see how some possible passwords stack up. The tool estimates how long a given password would take to crack (and it says “GoFlyers” would get cracked in a mere 26 minutes). Heads up: Even though the tool doesn’t store the passwords you try out, it still recommends not entering your actual password. So if you want to see how your current password fares, try something that’s just similar.

The Phish Commish Says: Watch Your “To” and “From” Fields

You can tell a lot about a message by considering the source. This is especially true of emails. The “FROM” field can easily be faked, so do a quick test to see who really sent the message: Start a reply to the email and look at the address that populates the “TO” section. Is it the same as the original sender? It’s a major red flag if the original sender’s address is not the same as the “REPLY TO” address.

You’ll find other “TO” and “FROM” red flags below. Take a good look - our February phish training will be employing some of these tells!

Scam of the Month: Tax Scams

Even though the IRS halts many attempts at fraud, they still saw a 400% increase in reported phishing and malware incidents for the 2016 tax season and identified 42,000 fraudulent tax returns with $227 million in stolen refunds. Thieves accomplish this by using your social security number to file a return that sends the refunds to themselves.

Here are some ways to reduce your risk:

  • Always use security software with firewall and anti-virus protections
  • Use strong passwords on any site where you might enter your social security number
  • Learn to recognize and avoid phishing emails *and* threatening calls or texts from thieves posing as legitimate organizations like your bank, credit card companies and the IRS
  • Don’t click on links or download attachments from unknown or suspicious emails
  • Protect your personal data - don’t routinely carry your social security card and store your tax records in a secure location
Contact the IRS if you get a notice indicating any of the following:
  • You were paid by an employer you don't know
  • More than one tax return was filed using your social security number
  • Your attempt to file an electronic return is rejected with a message saying a return with a duplicate social security number has been filed
  • You’re entitled to a tax refund that you didn’t request

Other scams using the IRS name

These scams may occur through e-mail, fax or phone:

  1. Fake emails purporting to contain an IRS tax bill related to the Affordable Care Act. Scammers send a fraudulent version of CP2000 notices that includes a fake CP2000 as an attachment.

  1. “Robo-calls” with urgent callback requests telling taxpayers to call back and settle their “tax bill.”

  1. Calls from scammers who claim to have your tax return, but need to verify a few details to process your return. They’ll encourage to you provide personal (e.g. a social security number) or financial information (e.g. bank or credit card numbers)

Fear you’ve been scammed? Visit the FTC’s Identity Theft site to report and recover from identity theft.


Information Technologies (UDit)

300 College Park
Dayton, Ohio 45469