Threats include phishing, spam, ransomware and other ‘social engineering’ scams.
Students, faculty and staff should watch out for “social engineering” scams that attempt to steal identities or even hold computers as virtual hostages for ransom, say technology administrators at Alamo Community College District.
Dr. Thomas Cleary, vice chancellor for planning, performance and information technology services, said he received a warning letter at the beginning of the semester from the FBI and Homeland Security regarding the increase of such scams, which are getting more sophisticated during this tax season.
Social engineering is “just trickery,” Cleary said. “And it is the No. 1 threat to our IT environment.”
Hackers use social engineering as a non-technical method of intrusion. It relies heavily on human interaction and often tricks people into breaking normal security procedures, he said.
Phishing is social engineering where a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick recipients into installing malware on their computer or device, or sharing personal or financial information.
Spam and quid pro quo, when an attacker requests personal information from a party in exchange for something desirable like gifts, are other examples of social engineering.
The district has installed firewalls and other protective measures to protect hardware, software, equipment, data, security and personal data, because it all gets attacked, Cleary said.
Last year, 180 million malicious emails were received within the district.
Cleary said IT will never request a password from users.
“If we want to go into your account, we are going to go in: we don’t need passwords,” he said. “If anyone ever asks for a password, it’s trickery.”
Nestor Rivera, of this college’s technical support services, said the most common cyber attacks are from fake anti-virus software.
These include pop-up alerts that warn users a computer is infected and at risk of system failure. The message then urges downloading software to fix the issue. These fake alerts commonly appear after opening an email attachment, downloading files, visiting websites programmed to download malicious software or clicking on a pop-up advertisement.
“Never click on pop-up anti-virus alerts,” Rivera said.
The pop-up advertisements aim to mimic genuine warning alerts generated by computer security software. The software or “free scan” offered in pop-up alerts often does not work or actually infects computers with the dangerous programs it is supposed to protect against.
Other attacks include the FBI lock and Homeland Security attack, which were popularized last year. Both ask for identity information and money. The scam will lock the device being used, including laptops, tablets and cell phones, and warn the user that the FBI has locked the device because of illegal downloading. If the victim has illegally downloaded something, the threat may seem very real, but Rivera says no one should ever pay hackers.
“When in doubt, just say no,” he said. “Don’t ever pay them. Remember (internet meme) Grumpy Cat: How about ‘no?’ There are no guarantees.”
Three students at this college have fallen victim to similar cyber attacks called ransomware, Rivera said.
Ransomware received its name because hackers encrypt files on a device and will not decrypt until the owner pays a ransom.
“It’s just like getting your computer kidnapped and then never sent back,” Rivera said.
Most ransomware encryptions are impossible to break, so people end up losing their device, Rivera said.
Last year, the scams became so sophisticated, Homeland Security and the FBI got involved, Cleary said.
“We get warning letters if they see a trend,” he said. “Especially in education, they let us all know. When we catch something coming in, we let the campus know about the latest scam and what to look out for.”
Last year, hackers were able to infiltrate the district’s online IT directory, Cleary said.
The hackers impersonated Alamo College’s IT Director Roger Castro and sent numerous emails to students and staff signed “From Roger,” to make each email appear more authentic. The district’s logo and letterhead were included.
Despite hacking the IT directory, no personal data was affected. Hackers only used information to impersonate people listed on the directory.
The district has never suffered a data breach, because there are enough systems and controls in place, Cleary said.
“A layered defense is the best defense,” Rivera said.
He recommends that all students keep anti-virus software and maintain it.
Despite frequent warnings from the IT department, a clever scam will fool 12-20 students or faculty each attempt, Cleary said.
“The No. 1 defense for malicious attacks and hacks and social engineering is education,” he said. “Educate the users.”
For cyber security tips, visit www.alamo.edu/sac/security/.