Emails with malware and dangerous links increase at the start of each semester. That’s why Vice President & CIO Elias Eldayrie sent a campus-wide communication this week, reminding the UF community to be extra vigilant before clicking on a link or opening an attachment in an email. Three ways you can contribute to a secure computing environment at UF are by taking the information security awareness training, reporting suspicious emails, and being mindful when opening an email marked [EXTERNAL EMAIL].
• Last year, 16,526 faculty and staff completed the Protecting UF: Information Security Awareness training. Additionally, 10,878 students completed Protecting UF’s phishing module. All training modules were updated this summer so be sure to complete it when you receive your annual reminder. Faculty, students, and staff can also take the training anytime of the year.
• Report suspicious messages in GatorMail with the phish alert report button. If an email seems suspicious, just highlight it and click on the phish alert report button in the top right of your email. This action sends the potentially dangerous email to UFIT so staff can investigate. In FY23, more than 48,000 emails were reported using this button.
Although 98.5% of phishing messages received from outside UF in FY23 were blocked, some still get through. Be vigilant about what emails you open, especially those flagged with [EXTERNAL EMAIL]. Dive deeper into cyber tips on https://security.ufl.edu/.
Just in time for the new academic year! UF’s Information Security Office has updated its mandatory annual training. Faculty and staff will receive an email reminder on their one-year anniversary of their previous training completion date, but can take the training any time. There are six modules in the training and they take approximately 35-45 minutes to complete. Visit this page to take the training.
The number one cause for compromised GatorLink accounts is when a student, faculty, or staff member opens and responds to a phishing email.
Students can take the phishing module that’s part of the full training. The stand-alone phishing module is a great way to become better informed about how cyber-criminals operate. Now that you’ll be interacting with campus departments and faculty (who cyber-criminals will try to impersonate), students are strongly encouraged to learn how phishing works. Students can find the link to the phishing module training in the ONE.UF menu. The 15-20 minutes you invest in taking the phishing training can pay off in a big way when you learn how to spot and report malicious emails, instead of opening one and inadvertently bringing on a world of hurt on yourself…and potentially your university.
Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)
In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.
In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.
Have a great semester and GO GATORS!
The UF Information Security Office’s annual summer contest is open June 1 – 30, 2022. This year, all you have to do is play Phishle — UFIT’s information security take on the popular game “Worldle®” — to qualify for weekly gift card drawings.
Never played Phishle? Like Wordle®, Phishle is a word game. But Phishle focuses on players learning about social engineering terms such as phishing, smishing, vishing, and tailgating while solving the daily word puzzle. Phishle launched in Spring 2022 by Spencer Fasulo, a freshman computer science major who interns with the Information Security Office (ISO). Before entering the Phishle contest, check out the ISO’s great new social engineering webpage. You’ll learn what to watch out for and be better equipped to complete the daily Phishle game and win a gift card!
Phishle players get an entry for each 10 words they find. After achieving 10 correct words, fill out the form provided with your contact information. Two gift cards will be awarded each week, with winners announced on UFIT’s Twitter and Instagram accounts. Gift cards will need to be picked up in the 720 Building by local winners. Winners residing outside of Alachua County will receive their gift cards via US Mail.
Have you received a strange text like this one (pictured)? Smish alert! Smishing and vishing are like phishing, except scammers use different devices to try and trick you into giving up personal information.
Smishing is done through text messages, while vishing happens through phone calls. Smishing attackers are also using instant messaging apps, like WhatsApp!, as well as LinkedIn and Facebook to reach new victims. What do they want? The same things that phishing scammers are after: personal information, account passwords, and your money. Often, scammers employ social engineering tactics by pretending to be someone you know or represent a familiar organization.
The best way to handle smishing and vishing attempts is simple: Delete the message or hang up! As an added measure, depending on your device and cellular provider, you may be able to block and report the sender. It only takes one click, call, or responding to one message to have your personal information stolen or credit card maxed out. And, if that stolen personal information leads to figuring out how to use your GatorLink credentials, then you, your friends, professors, and anyone else on the UF Network could be impacted.
If you are unsure about a communication purporting to be from a UF department–email, text, or phone call–you can always check with the UFIT Help Desk.
Vice President and CIO Elias Eldayrie emailed all UF faculty, students, and staff this morning with facts about ransomware and phishing. Eldayrie also listed some key success indicators for securing campus, like a decrease in compromised accounts and the increase in reporting potential phishing emails, made possible because of the campus’s buy-in and involvement on cybersecurity issues. The statistics Eldayrie shared are:
• Unauthorized Account Usage
Since implementation of multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts
Since installation of the phish alert button into GatorMail, faculty, students, and staff have reported more than 14,500 suspicious emails, leading to fewer successful phishing attempts
• IT Security Risks
Since launching the new risk assessment process in 2016, 5,200+ risk assessments have been submitted by faculty and staff prior to technology purchase, allowing for review of security gaps and risk
UFIT engages in year-round training and outreach to help UF better understand information security risks, like what to look for before clicking on links in emails–especially those with the [External Email] banner. President Fuchs also recorded a video about ransomware and phishing to support outreach efforts. View the President’s video here.
Additional resources to help our campus community securely teach, learn, research, and conduct university business are listed on https://security.ufl.edu/resources/.
UF’s 5,712 international students, along with our international faculty and staff population, are prime targets for criminals who want to leverage their immigration status to steal money and sensitive data.
The UF International Center (UFIC) reported several cases of phishing emails and phone calls from cybercriminals posing as representatives of the U.S. Department of Homeland Security or U.S. Immigration and Customs Enforcement. Scams include threats of deportation, visa revocation, or phony visa lottery acceptances. The fake messages are schemes to solicit money or sensitive information (e.g. Social Security numbers, credit card information, etc.).
“We cannot emphasize enough how important it is for our international students to be aware of scams and phishing attempts that can impact their legal status, identity, and financial future,” said Debra Anderson, director of International Student Support Services for UFIC.
Everyone, regardless of visa status, should think twice before automatically clicking on an email attachment. U.S. government agencies never demand immediate payment over the phone or via email. In fact, contact with U.S. agencies involved in immigration issues always starts with a letter, not a phone call or an email. If you think an email in your GatorMail is suspicious, report it with the Phish Alert Button so UF’s Information Security Office can investigate further.
In 2019, audits were conducted of the state’s 12 public universities. The report recommended that the University of Florida enhance its existing information security awareness program with mandatory annual faculty and staff training. This summer, UFIT developed a new training program to meet the Florida Board of Governors recommendation.
“Protecting UF: Information Security Training” consists of four modules: phishing awareness, restricted data, cloud and sharing tools, and general safeguards. Training takes approximately 30-40 minutes to complete and is mandatory for faculty and staff. Emails will deploy from the myTraining portal in the next few days notifying the UF community that training is available. Training must be completed by the close of the fall 2020 semester, with the annual reminder date for re-certification based upon the initial completion date. As part of the Protecting UF program, in January all enrolled students will see a “to do” reminder in ONE.UF to take the phishing awareness training.
This effort is part of a larger program to inform the UF community on how to protect teaching, learning, research, and online activities. Please visit the Information Security Office website for additional information on this training and other security topics.
Checking the age of your passwords and reviewing an email link or attachment before opening it can go a long way in protecting yourself from a cyber attack. It’s the world we now live in, so here are some reminders that could save you a lot of heartache and financial and/or identity problems:
1. Check before you click.
Never click on links or open attachments without inspecting the email first. With the enormous volume of malicious emails created and sent every day, being cautious is crucial. Always hover over the email address and look for signs of a scam.
2. Protect and update your passwords.
When was the last time you updated your passwords? Experts recommend updating them every 60 days! Not only should you update passwords, but you should use a passPHRASE. The longer your passwords are, the better.
3. Never leave your electronic devices unattended.
As tempting as it is to ask someone to watch your laptop while in Marston, don’t take this risk. Always take your portable items with you, even if it’s just “for a minute” while you are at the reference desk.
For more ways to be cyber aware, read the Psychology of Phishing story on UFIT News or visit the Information Security Office website.