[Faculty] Fwd: New Phishing Awareness Program Launched

Tue Feb 5 12:05:27 PST 2019

Hi All,

Just an FYI in case you haven't receive this email from IT Security Office.

Best,
William Nguyen
Operating Systems Analyst
College of Engineering, ENG-301A
San Diego State University
5500 Campanile Drive
San Diego, CA 92182-1326
Tel:  619-594-1166
Fax:  619-594-6005
E-mail:  wnguyen at sdsu.edu

---------- Forwarded message ---------
From: IT Security Office <security at sdsu.edu>
Date: Mon, Feb 4, 2019 at 1:00 PM
Subject: New Phishing Awareness Program Launched
To: <wnguyen at sdsu.edu>

[image: curved top shadow]

[image: San Diego State University]

Dear Colleagues,

Last week, you received a simulated phishing email as a part of SDSU’s
Phishing Awareness Program. This was an authorized phishing training
exercise. The email impersonated SDSU’s Center for Human Resources, asking
you to verify tax information. You were then directed to a data-entry web
form, where it prompted you to divulge some sensitive information. We are
sharing this communication to remind you that no SDSU department would ever
ask for this type of information via email or a web form. Please know that
if you clicked on the simulation URL or provided sensitive information on
the web form, your data is safe and was not stored anywhere.

Email phishing is one of the greatest threats to our privacy and
cybersecurity. It is one of the most effective ways for attackers to gain
unauthorized access to an organization and your sensitive data; In fact,
91% of all breaches start with a phishing email. If such an email lands in
one of our inboxes, we are just a click away from compromising SDSU’s
security. This means you and your co-workers are an integral part of our
information security posture. To help prevent this attack method from being
successful, we began a new, immersive Phishing Awareness Program.

Building on a successful 18-month pilot that included over 3,000 staff and
faculty, the Information Technology Security Office (ITSO) will now expand
SDSU’s Phishing Awareness Program to include all staff and faculty.

*What to do If you receive a simulated or real phishing email?*
Although your first instinct might be to delete or ignore suspicious
emails, we ask that you report them to our security team. Please forward
all suspicious email to *fraud at sdsu.edu
<http://comm.sdsu.edu/E0w0B0QgMZm0z0sP0V01p01>*. If you've been targeted by
a phisher, chances are your co-workers have as well. For this reason, by
reporting suspicious emails, you can keep the entire SDSU community safe.
You will learn more in the coming months about the warning signs of a
phishing attack. If something looks suspicious, reporting the email is the
first step in mitigating the damage it may cause. If you have any doubts
about any message, please caution on the safe side and forward the
email to *fraud at sdsu.edu
<http://comm.sdsu.edu/E0w0B0QgMZm0z0sP0V01p01>* or contact the *ETCS Help
Desk* at (619) 594-5261.

*What are the dangers of email phishing?*
In today's world, it's a necessity to work online, and cybercriminals will
use the information we post to trick us into clicking a link, opening an
attachment, or entering sensitive information into legitimate-looking
websites. Chances are you've received a few general phishing emails in your
personal or work-related inbox before. These emails are sent to the masses,
with the hope that just a few of the thousands or millions of recipients
fall victim. However, universities are often targeted by cybercriminals for
specifically sophisticated phishing campaigns geared toward information
extraction. These targeted attacks take advantage of personal and
professional relationships, organizational hierarchies, and human
curiosities. These emails pose a unique threat, as their high level of
customization can lead them past even the best technical controls.

As an example, the U.S. Department of Justice indicted a cybercriminal
group last year for targeting more than 100,000 accounts of professors
around the world. The group successfully compromised approximately 8,000
professor email accounts across 144 U.S.-based universities, including some
from SDSU. The campaign broadly targeted all types of academic data and
intellectual property from the systems of compromised universities. To
learn more about this, please read the U.S. Department of Justice press
release <http://comm.sdsu.edu/x0B0000W0010pzM0iw1QmPs>.

*What does the Phishing Awareness Program entail?*
In this new program, you will periodically receive simulated phishing
emails that imitate real attacks. These emails are designed to give you a
realistic experience in a safe and controlled environment, allowing you to
become familiar and more resilient to tactics used in real phishing
attacks. While there is no penalty for sharing information during
simulations, if you do click on the link you will be prompted with
educational material. We do ask that you take 30 to 60 seconds to read and
understand the brief material presented. As the program progresses you
should be able to better spot phishing attacks, both at home and in the
workplace.

*What is SDSU doing to improve email security?*
This initial email simulation was our first step to conduct a campus-wide
assessment to understand what the University response would look like had
this been a real phishing attack. We will be reaching out to IT Departments
throughout SDSU to analyze internal processes and identify areas where we
could streamline and improve our responses.

In addition, we are working with our technology partners to deploy stronger
technical controls on our email systems to minimize the evolving threat
landscape and increase the confidentiality, integrity, and availability of
our data.

We are currently in the testing phase of several new initiatives that we
will be deploying throughout this year. Including, deploying additional
warning banners in Gmail for potentially dangerous emails, providing a
warning about emails from external sources, providing MFA options
(Multi-Factor Authentication), and strengthening our authentication
methods. It is a very exciting 2019, so stay tuned!

*In summary*
In the coming months and moving forward, we'll be continuing a
comprehensive Phishing Awareness Program. By taking a proactive stance and
learning how to spot and report potentially dangerous emails, we can keep
SDSU and your information safer.

Thank you for your time. If you have any questions about this training
program, please feel free to contact us at security at sdsu.edu
<http://comm.sdsu.edu/x0B0000W0110pzM0jw1QmPs>.

Best Regards,

*Michael Murashkovskiy*
Campus Information Security Officer
IT Security Office

[image: curved bottom shadow]

San Diego State University
Digital Privacy Statement <http://comm.sdsu.edu/JM0pBs021P0zkWm0wQ00010>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://engineering.sdsu.edu/pipermail/faculty/attachments/20190205/f0f51192/attachment-0001.html>