Cybersecurity is the practice of protecting computers, websites, and other local and network systems from digital-based attacks. These attacks are aimed at gathering your personal and professional information, as well as that of your friends, loved ones, and the data of the institutions you attend or work for.

Without cybersecurity awareness all of our data, both personal and institutional, is at greater risk. Increased risk of identity theft, monetary loss, and the loss of information are all effects of a lack of awareness. Knowing what to look for and being familiar with the most common ways your information can be stolen and siphoned off protects you. Awareness is akin to knowing to lock your door when you leave your house.

National Cybersecurity Awareness Month (NCAM) happens yearly each October, and is a joint effort between various industries and the government to help educate and spread awareness of resources that will contribute to their safety online.

Cybersecurity awareness and concern must be included in all of our daily rituals.

Malware

Viruses and worms can install themselves in your system without you even knowing it. Once they do, they can use your machine as a base of operations to monetize your system for their benefit. This can be done by forcing ad pop-ups on you, collecting your private data and sending it off to a central location behind the scenes, collecting corporate data and siphoning that off, and more.

Malware is a large umbrella term that encompasses many different forms of attack. The important things to remember are to always report strange events on your machine, to be very careful what you click on and what suspicious emails you open.

Always be aware of links on websites, that they go where they say they do. You can see, on the lower status bar of most modern browsers, the actual destination of the link you intend to follow.

Also, for emails, ensure they are from who they say they are and that any links or attachments within the email are expected before you follow them.

Spam

Spam is one of the oldest forms of cybersecurity risk. Though most spam is simply clutter, taking up your time, there are still large groups that use spam to spread every kind of cybersecurity risk we can imagine. Spam, unwanted email from strangers, is often filled with phishing attempts, malware, and more.

Phishing

Phishing scams actively try to fool you to gather personal and institutional information.

These emails often impersonate people you know: coworkers, school administrators and faculty, financial institutions, service desks and even your personal friends.

The goals of phishing attempts are one of two things:

• Tricking you into giving them personal information such as passwords, PIN numbers, and other confidential information.
• Installing software (often called spyware) onto your machine, and the network, that is used to gather information, and even to destroy your files on occasion.

Phishing examples

Below is an example of a phishing email. Note the following:

• The sender’s email address impersonated one that could have come from a real user (raym_82), but why would I send a school email from a personal account? Also, “formsmail.com” is not a recognizable email service provider.
• The “Microsoft Partner Silver Application Development” logo is not relevant to the topic of the email.
• The email link does not include a “.com” or “.edu” in the URL. And why would MSM’s name be used in the link?
• Not so obvious, but if the email is coming from a member of the MSM IT staff, it should be signed with their name, school contact info, help desk contact info or more distinctive information to help you reach out in case you have questions or need help. The fact that it’s a generic “End user client support” signature offers you no opportunity to reach out other than by replying to the bogus email.

For a further example, see the email below and note the following:

• A request for immediate action, i.e. “Action Required” or an alarming tone in the text (“Your computer has a virus!”).
• A “FROM” email address that appears suspicious. In this case, a legitimate Microsoft email would never be sent from a third-party domain such as no-reply@stabletransit.com.
• Hover over (do not click) any links to view the web site(s) the email wants to direct you to. In the examples below, one of the links appears to be suspicious (ver.com.ua/u) while the other appears legitimate.
• Grammatical or spelling errors are common in phishing attempts. In the example below, the past tense of “require” was used erroneously in the text of the email.

Whaling

A whaling attack, also known as whaling phishing, is a specific type of phishing attack that targets high-profile staff or faculty at institutions in order to steal sensitive information. In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.

Pharming

Pharming is an attempt to redirect traffic from its supposed destination to one the attacker has decided on. This way they can gather information such as account numbers, passwords, and more.

Spyware

Spyware is often a small program installed on your computing device without asking via a website that a pharming attack took you to, or a spam email linked you to, or carried as an attachment, that will then sit on your computer and send your personal information to a repository. The information collected may include passwords, as well as personal and corporate documents.

Social Media

Social media sites can be a fantastic way to connect to friends and family, but they are also places users need to be extra careful. Be wary of sharing too much personal information, as this data can be used to guess at passwords and even answer security questions. Be extra critical of strangers, and remember it is easy to claim to be someone, even an expert, without needing to offer proof.

Social media is also a hotbed of bad data, news and other information that may sound good to you but that is factually false, and that can even put you at risk. Always double check sources or information and be skeptical.

Change passwords frequently and never reuse passwords; that way your security will be enhanced.

If you suspect you have been phished you will want to take several steps as soon as possible:

Step 1: Change any passwords on institutional and personal accounts you think may have been compromised, but do so from a different device than the machine in question. Remember if your computer is infected, any new password may be stolen as you type it.

Step 2: Run your anti-virus software.

Step 3: Alert MSM’s Help Desk.

DO keep your computing software up-to-date to install the latest security patches and help block spyware and malware.

DO use different passwords for every account you use so a stolen password has minimal effect on your other accounts.

DO update your passwords regularly so if a password is stolen, it will not grant access to information for long.

DO use complex passwords that are harder for criminals to guess.

DON’T trust all emails by default. Always think before you click a link or reply to an email. If you aren’t expecting the email or the email seems out of place, consider it carefully. Look for links that say they are going to one site but actually lead to another. Check all links carefully by hovering over the link name.

DON’T open suspicious or unexpected attachments. They are often payloads for spyware and malware. Consider where they came from and if they are something you expected to receive.

DON’T count on antivirus and anti-malware software alone to protect you. You must also be aware and critical of your own internet habits to ensure your safety online.