Welcome to the November 2015 edition of the Information Security Newsletter.

Happy Holidays and Be Careful Out There

Here are some resources to help you stay safe during the holiday season.

The Top 5 Holiday Scams from The CyberHeist News. With permission, I’m copying The CyberHeist News top 5 holiday scams to watch out for.

  1. Black Friday/Cyber Monday Specials: This time of year, online scams use a variety of lures to get unsuspecting buyers to click on links or open attachments. Bad guys build complete copies of well-known sites, send emails promoting great deals, sell products and take credit card information - but never deliver the goods. Sites that seem to have incredible discounts should be a red flag. Remember that when a “special offer” is too good to be true, it usually is. For instance, never click on links in emails or popups with very deep discount offers for watches, phones or tablets. Go to the website yourself through your browser and check if that offer is legit.
  2. Complimentary Vouchers or Gift Cards: A popular holiday scam is big discounts on gift cards. Don’t fall for offers from retailers or social media posts that offer phony vouchers or (Starbucks) gift cards paired with special promotions or contests. Some posts or emails even appear to be shared by a friend (who may have been hacked). Develop a healthy dose of skepticism and “Think Before You Click” on offers or attachments with any gift cards or vouchers!
  3. Bogus Shipping Notices From UPS and FedEx: You are going to see emails supposedly from UPS and FedEx in your inbox that claim your package has a problem and/or could not be delivered. Many of these are phishing attacks that try to make you click on a link or open an attachment. However, what happens when you do that is that your computer gets infected with a virus or even ransomware which holds all your files hostage until you pay 500 dollars in ransom.
  4. Holiday Refund Scams: These emails seem to come from retail chains or e-commerce companies such as Amazon or eBay claiming there’s a “wrong transaction” and prompt you to click the refund link. However, when you do that and are asked to fill out a form, the personal information you give out will be sold to cyber criminals who use it against you. Oh, and never, never, never pay online with a debit card, only use credit cards. Why? if the debit card gets compromised, the bad guys can empty your bank account quickly.
  5. Phishing on the Dark Side: A new phishing email has begun circulating that tricks people into thinking they could win movie tickets for the highly-anticipated film, “Star Wars: The Force Awakens,” due out on Dec. 18. However, the email is a phishing attack. Leading up to the film’s release, and shortly after, you need to watch out for this social engineering attack and not fall for the scam. Stay safe online!

Shopping Online Securely by the SANS Institute

I’m linking to the November 2015 Monthly Security Awareness Newsletter published by the SANS Institute. Yes, it’s a link in an e-mail. When you hover over the link, you should be going to www[dot]securingthehuman[dot]org. This is a website operated by SANS. The newsletter gives some more advice on how to protect yourself online. https://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201511_en.pdf

The best advice that I can give is to be wary of offers that seem to good to be true, and to check your accounts often. I check mine every day or two. Additionally, I have enabled alerting on my accounts so I get automatic emails whenever my credit card is used. Also, I recommend using well-known shopping sites like Amazon, eBay, Walmart, Target, etc. If you’re buying something from a relatively obscure site, then I would recommend doing a little bit of research about the site before you buy.

10 Security Mistakes Nearly Everyone is Guilty Of - #5 & #6

Mistake #5: No Security Solutions

Everyone should have some form of Anti-Virus/Anti-Malware (AV) protection installed on their computer and ensure that it’s up-to-date. There are both commercial and free products available. I don’t have any specific recommendations, other than to have something. It’s also important to understand that Anti-Virus software isn’t 100% effective. It’s good to have AV, but you shouldn’t engage in risky behavior such as clicking on unknown links in e-mails or opening attachments with the rationale that it’s safe, thinking your AV solution will protect you.

Mistake #6: ‘It won’t happen to me’

The Internet is a wonderful thing, but it also makes each one of us as accessible to the bad guys as anyone else. If we think it won’t happen to us, then we tend to engage in risky online behavior and not adhere to basic protective best practices like we’ve been talking about. Thus consequently, we actually make it more likely that it will happen to us. Most criminals are looking for the easy catch, and by us subscribing to a few basic protective measures, we can greatly reduce the chance of becoming a statistic.

Information Security Awareness Training

I appreciate those who have already completed the training. For those that want to attend a live training session, I’ll be scheduling more sessions for December. To complete the training online, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

Winner of the Monthly Bookstore Drawing

October: Earl Mulderink

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an e-mail detailing any scams to the same address. You will be entered for every e-mail you send in.