Cybersecurity Awareness Month 2023

Phishing is the most common form of social engineering attack.

Phishing occurs when someone impersonates a trusted entity through email or posted messages to try and fraudulently obtain personal information, financial information, or access to systems. The email or message prompts the targeted individual to act. The action could be to click on a link, provide information, open an attachment, download a file, or provide remote access to a computer or mobile device. Completing the action provides the threat actor with information or access to the victim’s account.

Once the threat actor has access to your accounts, they may use this access to carry out a larger cyberattack.

Phishing messages can come in almost any form: Emails, text messages, social media direct messages, or phone calls. 

In most cases, phishing campaigns are untargeted attempts to solicit personal details by casting as wide a net as possible to get people to respond. Make sure you are familiar with the kinds of phishing attacks listed below:

Smishing 

Is a phishing attempt through SMS (text message).

Spearphishing 

Is a hyper-targeted phishing attempt in which a message is designed to sound like it’s coming from a source you know personally. 

Whaling 

Is a phishing attempt aimed at a high-profile target such as a senior executive or other high-ranking official in an organization or government department. 

Spoofing 

Involves creating a fake website to get someone to share their personal information.

There is no simple way to ensure you are 100 percent protected against phishing campaigns. 

Phishing campaigns are becoming increasingly elaborate, and the growth of digital platforms, like social media, has given cyber criminals many opportunities to reach victims. The recommendations below can help you protect yourself from phishing attacks:

• Be extremely cautious any time you receive a message that asks you to reveal personal information – no matter how legitimate that message may appear
• Try to verify requests for information through another means
  • For example, if you receive an email claiming to be from PayPal, you could reach out to PayPal directly via the contact information on their website to verify the message.

If you're not sure if a message is a phishing attack, check out the graphic below for what to look for. Remember, most legitimate organizations will never ask you to reveal information through an email or text message. 

7 Red Flags of Phishing Poster 

Get Cyber Safe | Phishing: Don't take the bait! Video

Test your knowledge with our phishing quiz. Note that you will be prompted to log in with your NetID and password. When you're ready, click the link below to begin the quiz.

Week's One's challenge is now closed.

This quiz will collect your name, Queen's email address, and NetID to notify winners of where and how to redeem their prize. Your data will not be shared with any other party or used for any other purpose.

Security incidents are events that indicate an organization’s system and/or valuable data have been compromised or threatened. Dealing with a cybersecurity incident in the right way is important - it can be easy to miss something and not fully remove the threat. Your response time makes an enormous difference - it's important to act as soon as you suspect something isn't right.

Signs that a security incident has breached your systems or applications include: 

• The network or Operating System (OS) on your device becomes slower
• Your browser redirects known URLs to different sites (i.e. you want to visit queensu.ca but are directed to a different website)
• Your files and/or servers have been encrypted and you cannot access them
• Your device receives excessive pop-ups
• Your data usage is increasing while your usage remains the same

The most important thing to remember is to ACT QUICKLY. The sooner you take action to report an incident, the less time your data is vulnerable.
 

Data Breach: A data breach occurs when unauthorized individuals have stolen sensitive or confidential information. As we grow with technology, more and more digital data is added to our digital world. This data often contains sensitive, personal, and confidential information, and as a result, data breaches have become a popular type of attack. Data breaches can be extremely costly to an organization.

Malware Attack: A malware attack is when malicious software is used to damage a computer or network system or to gain unauthorized access to the university's private data. Malware attacks can come in many forms including ransomware, spyware, command and control, and more. 

Phishing: This type of attack involves fraudulent communication such as emails, text messages, or social media posts and messages. These fraudulent messages are designed to mimic trusted and reputable sources to deceive target users into revealing their credentials or sensitive personal data. You can check out the content from Week 1 to learn how to protect yourself from phishing. 

Denial of Service: A denial-of-service (DoS) attack occurs when legitimate users are unable to access an information system, device, or another network resource. This is a common method of attack wherein a target network or server is flooded with fake traffic, which overloads the server and results in a DoS. Services that can be affected by a DoS attack include email, websites, and medical facilities. 

Participate in all Security Awareness Training 

Queen's provides regular security awareness training to ensure faculty, staff and students (end users) have a basic understanding of cybersecurity threats. This helps minimize human error and block a possible breach before it occurs. 

To see what training is available to you, check out the Cybersecurity Education and Awareness page.

Ensure You Know How to Report a Security Incident 

Without an end user’s input and reports, security incidents can go undetected for long periods of time. When Queen's faculty, staff, and students are aware of the processes for reporting possible security breaches, incidents can be caught before much damage is done. Learn more about how to report a security incident.

Report ANY and ALL Suspicious Incidents 

As an end user, you are the university's first line of defence when attackers attempt to breach our digital environment. Any security infrastructure can be compromised by human error or failure to report a possible incident. This is why it’s essential for all Queen's faculty, staff, and students to report any and all suspected security breaches, even if it does not appear to be a significant threat. 

A Security Threat Is Reported – What Happens Next? 

In response to an incident being reported, IT Services can take the following steps: 

• Take action to mitigate the security incident and prevent it from spreading across the university and its affiliates.
• Perform additional investigation to document the scale and severity of the breach and the type of institutional data that was potentially involved.
• Identify all exploited vulnerabilities.
• Revise existing or recreate additional protection/security policies.

Report a Security Incident - Video (00:01:25)

Remember to use the following links to report a cybersecurity incident or if are unsure you have become a victim of a cybersecurity attack:

• End User - How to Report Suspicious or Unwanted Emails (service-now.com)
• Report a Security Incident | IT Services (queensu.ca)

Test your knowledge with our safe browsing quiz. Note that you will be prompted to log in with your NetID and password. When you're ready, click the link below to begin the quiz.

Week 2 is now closed.

This quiz will collect your name, Queen's email address, and NetID to notify winners of where and how to redeem their prize. Your data will not be shared with any other party or used for any other purpose.

Many of us share aspects of our personal lives on social media like pictures of our pets or birthday wishes to our loved ones. But it's important to remember that cyber threats like phishing scams also exist on social media. Remain vigilant when connecting with people through social media, whether you know them in real life or not. Here are a few ways to protect yourself from phishing scams on social media:

• Learn to spot a phishing scam and don’t click on those unknown links
• Identify a fake friend request and always double check before accepting a “new” friend
• Ignore contests and giveaways that you never signed up for or participated in
• Be mindful of all urgent requests from a friend or family and verify the authenticity of any message by contacting the requestor via another method (such as a phone call)

Social media allows us to connect to others both locally and across the globe, but cyber criminals try to exploit these connections and steal from us. By knowing the signs of cyber threats on social media and how to protect yourself and your accounts, you will be able to connect safely with family and friends.

Julie receives a message offering a “special version” of her favourite app. She clicks the link, enters her credentials, and installs the software. Unfortunately for Julie, she just fell for a phishing scam. Scammers now have total access to her device and data. 

 
Don't be like Julie. Instead, have a strong security mindset: 

• Never trust unexpected social media messages.
• Don’t click unknown or unexpected links.
• Only download and install software from verified sources.
• If it sounds too good to be true, it probably is.

Mark recently live-streamed a party from the office. Unfortunately for Mark, he didn't adjust the security settings on his account and accidentally broadcast proprietary information to the entire world. Also, since geotagging was still on, scammers know the exact time and location of his every picture and post and can easily target him. 

Don't be like Mark. Have a strong security mindset: 

• Don’t assume default security settings protect you. Set your information to private where possible.
• Don’t give away sensitive or confidential information.
• Review and update security and privacy settings quarterly.
• Turn off geotagging to keep your location information private.
• Only share with intended viewers.

Tina accepts all connection requests - even from people she doesn't know. She recently connected with her CEO and has been sharing work-related, proprietary information using private messages. Unfortunately, Tina is the victim of a fake profile. Scammers use fake profiles to access information and harm organizations. 

Don't be like Tina. Have a strong security mindset: 

• Don’t blindly accept connection requests.
• Don’t assume the connection is real.
• Don’t use social media to send sensitive information.
• If a request seems suspicious, verify by contacting the person directly.
• Periodically review and remove unnecessary connections.

Test your knowledge with our social media quiz. Note that you will be prompted to log in with your NetID and password. When you're ready, click the link below to begin the quiz.

Week 3 is now closed.

This quiz will collect your name, Queen's email address, and NetID to notify winners of where and how to redeem their prize. Your data will not be shared with any other party or used for any other purpose.

The immediate risks to you when you are not careful with your online accounts are: 
 
Phishing 
Phishing messages are designed to trick you into giving up information by pretending to be from a trusted source. Phishing messages can come from people pretending to be your friends, respected companies or institutions, or just "friendly" strangers. Never share sensitive information or click on any links that seem suspicious — even if they’re from your friends. 

Social Engineering 
Social engineering is the practice of obtaining confidential information through deception and trickery. In a social engineering attack, a cybercriminal contacts you by email or phone and may use facts that you have made public on your social media accounts (for example, where you live or work) to make their request seem legitimate. Their goal is to trick you into providing sensitive financial or personal information. Social engineering is a type of phishing that can be difficult to spot. 

Privacy breach 
Social media sites receive so much private information about us such as the names of our friends and family members, how we spend our vacations, and even the contents of our direct messages. It’s important that you understand how social media sites are using your information and if they might be selling it to advertisers and other third parties. 

Malware 
Malware is malicious software and is code designed to infiltrate your device. Malware can spread on social media through links, often with catchy headlines. Once malware is in your device, it might send spam messages to your friends, steal your information, or harm your device. Always be careful when clicking links on social media. 

1. Use a passphrase or complex password 
Social media is all about sharing, so if your password is something you’ve shared on social media (like your pet’s name) it will be easy for a cybercriminal to guess. Make sure you use a unique passphrase or password for every social media account. Visit the How to Protect Your Password page for more information on creating a strong password. 

2. Enable multi-factor authentication (MFA) 
Most social media sites offer multi-factor authentication (MFA). Always turn MFA on in your settings to keep your account secure. 

3. Review your privacy settings often 
Use the privacy and security settings on your social media sites to control who other people can see about you — the default settings likely provide strangers more access than you'd like. 

4. Keep private information private 
Even if you’re careful, you can never know who’s on the other side of the screen. When you post on social media, avoid sharing: 

• Too much personal information like your phone number, email address, home address, work details, or your child's school 

• Informative pictures: Check the background of pictures before you post for any revealing info like street signs or license plates. 

• Geotagged photos: Most smartphones and digital cameras automatically attach the exact location where a photo was taken. Many social media sites don’t capture this information when you post a photo, but when they do, turn off the geotagging feature in your camera’s settings and remove geotags from older photos with photo editing software. 

• Exciting news: Vacation details, big purchases or events with your address can let criminals know there’s an opportunity to rob your home while you’re away. 

• Banking or financial information, including the name of your bank, credit or debit card numbers, and any other financial information. 

Below are the seven biggest red flags you should check for when you receive an email, text, or message:

1. Urgent or threatening language: Real emergencies don’t happen over email.
2. Requesting your sensitive information: Anyone asking for personal information over email or text shouldn’t be trusted. 
3. Anything too good to be true: Winning a lottery is unlikely. Winning a lottery that you didn’t enter is impossible!
4. Unexpected emails: Expect the unexpected, and then send it right to the trash. This includes things like updates on deliveries for things you didn’t order.
5. Information mismatches: Look out for spelling or grammatical errors that a legitimate organization wouldn’t miss.
6. Suspicious attachments: Attachments might seem like gifts for your inbox. But just like real gifts, they’re not always good. Don't open attachments unless you are expecting them.
7. Unprofessional design: Look out for incorrect or blurry logos, or company emails with little, poor, or no formatting.

Check out our phishing poster for details on suspicious messages.