Overview
Although we take all of the cyber security precautions that any other major organisation should do, there are some vulnerabilities that technology alone cannot fully avoid, and example of which, is social engineering (see section lower down). It is important that you are aware of how to minimise the risks to you, your contacts, and the University.
Examples of email scams
In Oct 2022 some staff reported receiving emails classed as social engineering - where the attacker is looking to move the conversation to mobile SMS, possibly to extort funds/information/password.
Email phishing and scam messages continue to be the primary attack vector to extort money or information from the University. The University attack surface is reduced as much as possible to mitigate this risk in the event of these email threats being delivered and succeeding to fool the recipient in surrendering their information. An example of which would be clicking on a malicious link in a phishing email designed in a way to present itself from a legitimate source.
Recent and common examples of email scams include:
- HMRC tax rebate scam - where scammers try and trick people into handing over details in order to claim a fake tax rebate
- Covid19 vaccination scam - asking the recipient to ‘book your vaccination’ via a hugely expensive premium rate phone line
Access to email from a University provided computer system ensures the best possible security. This method of access secures the individual through perimeter protection (Firewall) and local protection (Antivirus, Least Privileged Access). University defences against these kinds of attacks are being developed continuously. Furthermore, IT Services recognise that University stakeholders need convenient access to their email from different types of devices and locations, particularly for students and staff who are not provided with a computer, and where users are remotely located due to the pandemic. To further mitigate the risk of data or financial loss, The IT team is implementing ‘Mimecast Email Security with Threat Protection’. Mimecast builds on the solid security principles and foundations that are already in place in protecting email, by ensuring a balance of threat awareness and overall protection.
Protection guidelines
To help protect yourself from potential security threats, please read the following guidelines:
- Sometimes a scam email will be sent directly to your University email address. However, it can be sent to a generic account e.g. odrevolver@chi.ac.uk and still end up in your inbox or junk folder
- A scam email may include a virus in the form of an attachment
- Do not open suspicious emails, they could infect your computer (whether a University or home computer)
- Email display names can be spoofed: be wary of all requests for personal information
- Never log in to a website that you have accessed from an email link
- Never send your passwords or sensitive data via an email
- Never divulge any password. To assist with this security measure, the SIZ or IT Services will never ask for user passwords
- Web pages that require authentication should always be accessed via the University home page: www.chi.ac.uk
- If you are in any doubt as to whether a website is genuine, please contact the SIZ for advice
- If you are suspicious about an email you have received please follow the Reporting suspicious emails guidance
Anti-virus can only go so far, and you should be very suspicions of:
- Pop-up advertisements on your computer
- Web browser tool-bars
- Downloading the latest block-buster movie to your device, Not only is this illegal in any case, if it is free, the price is very likely to be an infection that you have ‘welcomed’ onto your computer
- File sharing through Google-doc, personal One Drive and Dropbox etc
Social engineering
Social engineering is a form of techniques employed by cyber adversaries designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites. In addition, cyber adversaries may try to exploit a user's lack of knowledge; thanks to the speed of technology, many people don't realise the full value of personal data and are unsure how to best protect this information.
Malware: viruses, trojans, spoofing and identity theft
Malware is a term used to describe various software that is used to damage or infiltrate computers. Malware is used by online criminals to conduct scams, obtain confidential information, extort money, and for general disruption.
Some criminals snoop on you to catch enough information to impersonate you to steal from your bank, to get a fake passport, or to capture your passwords (for Moodle, HR, Student records etc) in order to capture other people’s personal information.
For example, the malware attack we experienced in July 2015 comprised a virus hidden in a zip file attachment to an email sent from an airport hotel in Korea which, if opened, encrypted your personal files. This scam also tried to ‘sell’ a decryption, a solution the perpetrators had no intention of providing and in which they were trying to get you to enter your credit card details so they could steal from you.
What we do to avoid viruses
Viruses occur all over the world, with new variants being tried, some of which auto mutate in order to continuously try to gain entry again and again. Anti-virus software is also in constant evolution. The University uses the leading anti-virus, and every release of software from the anti-virus companies is automatically downloaded to the University and installed immediately. However, the solution to a virus cannot be designed and delivered until someone has been infected. After someone has reported an infection, a solution is usually provided in a few hours. In the meantime we are vulnerable to that particular strain of virus.
Wherever they come from, the University’s IT services typically repel in excess of 10,000 (and sometimes over 100,000) malware infection attempts per day.
What you should do to minimise risks
All University machines have the latest virus protection software, and we most strongly recommended that you buy anti-virus software such as Norton, Kaspersky or McAfee for your own devices. Some basic anti-virus solutions are available for free, for example AVG.
If you suspect that you may have a computer virus or that you have inadvertently triggered Malware on your device, please contact the SIZ helpdesk immediately by phone on 01243 816222. Please also disconnect the device from the University’s network by unplugging the network cable and / or switching off the WiFi on the device.
If you suspect that you may have a computer virus
If you suspect that you may have a computer virus, or that you have inadvertently triggered Malware on your device please contact the SIZ helpdesk immediately by phone on 01243 816222. Please also disconnect the device from the University’s network by unplugging the network cable, and ideally by switching off the WiFi on the device.
If you see something suspicious, please call SIZ (01243 816222) for advice.
If we believe your account has been compromised, the IT security team will immediately reset your password and then notify you by telephone as soon as possible
The security of our systems and data is of the upmost importance. Your attention is drawn to the Code of Conduct within the University's Electronic Information Security Policy.