Tag Archives: cyber security

Email phishing exercise

Did you know approximately 45% of the world’s sent email is SPAM? While some SPAM email can be harmless enough, other SPAM is used to target and exploit personal information and data form people or alter the behaviour of the device they are using.

To help us understand how well we are supporting and informing UC staff and students on cyber security we will be carrying out random phishing test exercises over the next few weeks.

The exercise will involve sending emails that use techniques similar to those used by cyber criminals to encourage the recipient to take a specific action. We will send these to a random group of UC email addresses and monitor the outcome. No personal information of individuals in the test group will be retained.

We take this kind of exploitative SPAM email seriously and employ a number of tools to reduce the amount that makes it to your inbox. The most effective way to reduce harm to you, your data and UC is to be aware of techniques being used by cyber criminals and to make you aware of what to look for, how to react and who to report incidents to.

More information about how to spot phishing email and what to do if you receive a phishy email, check out UC’s cyber security webpage>

If you have any questions or concerns please contact the ITS Service Desk on 0508 UC IT HELP (0508 824 843) or on 03 369 5000.

Taking a break? Lock your device

When you step away from your computer, make sure you lock it. We’re not suggesting your colleagues can’t be trusted, but what if you’re out of the room, and then they leave the room too? Suddenly everything on your computer is available to anyone who passes by. Someone could: send malicious emails that are apparently from you; steal files; install and send viruses from your machine; install malware that steals your credentials; and many other destructive things – all of which you could be held accountable for because you “left the front door of your computer open”.

Anytime you step away from your computer, even just to grab a coffee or go to the bathroom, lock your computer.

Below are shortcuts to lock your Windows, Linux and Apple Mac computers:

Windows

  • Press ‘Windows + L’ (for Lock).
  • Alternatively, press Ctrl + Alt + Del, then click Lock this computer.

Linux

  • Press the Super key, and ‘L’ (for ‘Lock’). So that’s Win + L.
  • Or if you are running an older version of Linux use Ctrl + Alt + L.

Mac

  • Press ‘Control + Shift + Eject’ or ‘Control + Shift + Power’.

It is shocking what someone can do with your identity: they can get access to EVERYTHING you do on your device which in turn can take a massive toll on the University and you individually, and damage your relationships.

  • You could find all your data has been deleted or encrypted and held for ransom
  • The University network could be locked down – stopping staff and students from being able to work – and requiring millions of dollars and weeks or months to fix
  • You could lose access to your banking and social media accounts
  • Your identity could be stolen
    • Loans and credit cards may be opened in your name
    • Unauthorised purchases may be billed to you
    • You may become a victim of tax fraud
    • You may be locked out of apps and web-based services, forever!! (Losing family photos, thesis papers etc.)
    • Your electronic devices may be used as a tool of cyber-crime (sending spam or spreading malware)

Find out more about cyber security at UC here>

How to report a cybersecurity incident

If you have any questions, feel free to contact the IT Service Desk. Call us on our free call number 0508 UC IT HELP (0508 824 843) or on 03 369 5000.

Spotting a social engineering scam

In some previous cyber security posts we’ve mentioned a couple of types of scams that use social engineering, eg. phishing. Social engineering is a way of tricking people into sharing their personal information.

Here, we’re going to talk about the equally dangerous non-technical social engineering attacks that we all may face.

These scammers use little pieces of information they already know about you to trick you into revealing sufficient information that they can then defraud you. This is called ‘pretexting’ or ‘vishing’ voice-phishing and is often done through a phone call.

If you receive a phone call you are uncertain about, hang-up the call and find a phone number for the organisation to call them back, don’t call any phone number the caller gives you.

It’s ok to say no – think about the information you are being asked for when filling out forms, having conversations or responding to emails:

  • is what they are saying believable?
  • why do they need this information?
  • are they making a reasonable request for this purpose?
  • is this person who they say they are?

Read these examples and check out this video to understand what social engineering might sound like. Read more about cyber security and reporting incidents at UC here>

Hi, this is Tracey calling from {Your Bank}.

We’ve blocked some suspicious overseas charges made on your card ending {last 4 digits of your card}, and we’d like to check on these with you, if that’s OK.

Before we can do that I need to run you through some security checks.

Can you please confirm the billing address for the card is correct?

Great thanks. Can you please confirm your mother’s maiden name? 

OK, we’re good to go. Have you been to a restaurant called La Roux earlier today? Spending $43.20?

No, OK, we’ll need to cancel your card and issue you a new one.

Don’t worry, we can get the new card to you quickly, if I get this processed now I can get it to you in the next 48hrs.

To make things easy for you I can make sure the same PIN number is used so you will be able to use the card straight away.

If you can confirm your PIN number I’ll get that added.

Awesome, that is done, your new card is on its way.

As you can see the scammer now has your card number, answer to your security question and current PIN number.

This example would be carried out after a wallet has been stolen. The initial information comes from a receipt found in your wallet.

Hi {your name},

This is Tracey from {names a store you have a receipt from found in your wallet}, you’ve won a gift card worth $150 that you can pick up next time you are in the {names location of the store from the receipt} store.

To secure the card for you I need to put a PIN number on the it, what PIN number would you like me to add to the card?

All done. That card will be waiting for you in store.

Have a good day.”

Unfortunately, most people will provide their own banking PIN number, because by human nature, we’re lazy and use the same PIN numbers or passwords for multiple purposes.

Longer passwords are stronger passwords

It’s simple, the longer your password is the stronger it is. A password of 12 characters is estimated to be 13 million times stronger than an eight character password and a 16 character password is estimated to be over 166 trillion times stronger than an 8 character password.

At UC we recommend you use passwords of 10-16 characters in length for UC systems. But let’s take a minute to talk about passwords. Exciting isn’t it?

Do you use a key for your front door? Are you happy giving it to strangers? No? This is the same thing, so it’s an important conversation and worth having. Being digitally security-aware is just as important as being home security-aware.

Here’s the thing:

Remember just three passwords, and that is it:

  1. Your bank password – don’t use this for anything else
  2. Your work password – don’t use this for anything else
  3. Your password manager password – don’t use this for anything else. See more about password managers at www.canterbury.ac.nz/its/cybersecurity

Why? Some accounts are more important than others, especially your work and your bank, so have individual passwords for them, and then one more for your password manager.

Tips to create a strong password;

  • Don’t use common dictionary words – Eg. orange, car, password
  • Don’t use sequential letters or numbers – Ex. 12345, abcde
  • Don’t use repeated letters/numbers or keyboard patterns – Ex. 111, aaa, qwerty, asdfgh

Longer passwords are stronger passwords – as long as you stick to the rules above too.

Are you using the same password for everything?

It sounds like a clever strategy to avoid forgetting which is which, right? But have you noticed how those online security breaches just seem to keep happening? Using the same password means that if it falls into the wrong hands, then that person has your password to everything. It’s worth taking a moment to think about what that could include.

Find out more about cyber security at UC, visit www.canterbury.ac.nz/its/cybersecurity

Tips to spot a phishing scam

Can you imagine the headache you’d have if a hacker got access to your social media, banking, dating, or email login details? But you wouldn’t just hand this kind of information over to a stranger would you?

Hmm, here are some basic tips to spotting a scam.

Consider these before opening an email that you weren’t expecting to receive.

  • Is the spelling and grammar in the message correct?
  • Does the link and the text match (hover your mouse over the link and you’ll see where it really goes).
  • Does the email urge you to take immediate action?
  • Does the email address of the sender look reasonable given the content of the email?
  • Look at the salutation (does it say ‘Dear Customer’)?
  • Look at the signature, a lack of details or how you can contact the company suggests phishing.
  • Are you even expecting an email from that sender?
  • Is the message asking you to do something unusual? (eg. buy iTunes cards).

Together we can make a difference, but what should you do next?

If you think it’s a phishing email or spam:

If the message is plausible:

  • go to the website of the service, or bank yourself (don’t click that link in the email), then log in and see if you have any messages
  • if it’s someone sharing a file or similar with you, contact the person (in a new email not by using ‘reply’) and ask them.

If you’re not be sure, treat it with caution and report it

It it amazing what hackers can do with access to your device, they get access to EVERYTHING you do on that device which can take a massive toll on you individually and damage your relationships.

  • You could lose access to your banking and social media accounts.
  • You could find all your data has been deleted or encrypted and held for ransom.
  • Your identity could be stolen,
    • loans and credit cards may be opened in your name.
    • unauthorised purchases may be billed to you.
  • You may become a victim of tax fraud.
  • You may be locked out of apps and web-based services, forever!! (Losing family photos, thesis papers etc).
  • Your electronic devices may be used as a tool of cyber-crime (sending spam or spreading malware).

See more about cyber security at UC>