Greetings Campus Community,

October is National Cybersecurity Awareness Month, an annual initiative to raise awareness about the importance of cybersecurity. Each week Technology Services will share tips and practices designed to improve your cybersecurity knowledge. Our goal is to promote deliberate, mindful behavior that serves to protect our information assets.

Data security has always been important. It’s no more important today than it’s always been. Information is one of the most important university assets. The University is entrusted with personal information of students and staff. We, all of us, have a responsibility to protect such information in a safe and secure manner. It is important to comply with law, policies, and statutes to protect the information entrusted to the University.

Information is valuable and attackers are constantly trying to steal it from you. Poor security can cause personal, social and reputation damage. This week, we’ll look at how to recognize scams and potential threats to the security of information in the workplace.

Social Engineering
Those who want to steal data may use tricks to manipulate people to give access to information. This is called social engineering. There are many social engineering tactics.

Social engineering tactics include using email, websites, phone calls, or some other method to trick or gain the trust of an individual. It might include finding the University’s phone list and researching employees on social networking sites.

The social engineer’s goal is always to trick or gain the trust of one or more employees, through a variety of means:

• Over the phone
  A common social engineering attack is conducted by phone. A social engineer might call and pretend to be a fellow employee, technical support, Help Desk staff, or other trusted outside authority (law enforcement). They might make calls to employees claiming they are contacting them regarding an issue.

• In the office
  "Can you hold the door for me? I don't have my key card." While the person asking may not seem suspicious, this is a very common tactic used by social engineers to gain access to unauthorized areas and information.

• Online
  Social networking sites have opened another avenue for social engineering scams. One tactic involves the attacker posing as a "friend” on social networking sites. But can you be certain the person you are chatting with on a social networking site is actually the real person? Attackers are stealing passwords, hacking accounts and posing as friends on social networking sites for financial gain.

Email Phishing and Malware
Hackers and attackers use emails containing attachments or links to try and trick people into providing access to information. Attachments may contain malicious software (malware) that will automatically download onto your computer. This type of threat is known as phishing.

If you receive a request from a supposed colleague asking for login details, financial information or other sensitive information, you should never provide such information. The University does not ask for passwords or other sensitive information via email.

If you receive an unsolicited email that contains attachments or links you have not asked for, do not open them.

Phishing
Phishing is the main and easiest form of social engineering. Attackers use phishing emails and websites to scam people every day. They are hoping for you to click on fake links to sites or open attachments so they can steal data or install malicious software.

The aim of phishing emails is to force individuals to make a mistake, for example, by imitating a real company's emails or by creating a time-limited or pressured situation.

Phishing email attachments or websites might ask you to enter personal information or a password or they could start downloading and installing malware. Never enter personal information or click on links.

What to Do
Stay vigilant.

If you identity a social engineering threat, report it to the university Help Desk.

If you identify a phishing email, mark it as junk (call the Help Desk for assistance). Marking suspicious email as junk helps to reduce the amount of phishing email received at the University.

Report suspicious email to reportphishing@listserv.csufresno.edu.