Happy ALMOST Back to School.
We (and other school districts) are seeing an increase in phishing activity.
Phishing is the practice of sending out emails that purport to be from a legitimate, reputable company in order to get users to reveal sensitive information (such as passwords and credit card numbers).
We recently deleted a couple of emails received by thousands of Dearborn Public Schools members that were phishing attacks. Unfortunately, a couple of users clicked on the links and entered their information.
Protecting your user name and password is critical to the security and safety of our district. Many users have access to very sensitive data.
Tips for spotting a phishing attack:
- Do you know the sender? Although it is easy to fake the return email address, you should still check to see if you know the account.
- Does the language seem appropriate for the person?
- Does something just seem “funny” about the email?
- Hover your mouse (if on a computer) over the link without clicking on it. It should reveal the URL of where it is actually going. (So, if it supposed to be sending you to Apple, but the URL is http://apple.scammer.com, that isn’t right).
- Be wary of links in emails: Type links into the Location bar in your browser instead of clicking on the link in an email.
- There is some kind of threat or urgent request in the message.
Here is a Phishing Flyer with tips (reposted from a couple years ago).
Securing your accounts
There are several things that you can do to make your account more secure:
- Be careful on clicking links in email
- Use a passphrase manager – (this allows you to have a unique password for every site you visit) (Note that most of these are not free).
- Turn on 2 Factor Authentication – this will require you to receive a text message or use a known device as an extra step to log in. This means that if someone does know your passphrase, they still can’t sign into your account without that device.
- Be very cautious about where you are entering your user name and passphrase.
*This impacts personal as well as work email.
So, how do PHISHERS get your email? There are a couple of ways:
- from the address book of someone who has had their account phished
- from breaches of online services
Please note that there have been many breaches of information. Here are a few:
- EquiFax – one of the sites that provides credit reports
- Best Buy
- Saks Fifth Avenue
- Lord & Taylor
- MyFitnessPal App
- Forever 21
- Whole Foods
- PumpUp (Fitness App)
- And more….
Your user name and password to a variety of sites may be available to people with bad intent. The breaches above may have revealed not only your email address (which can be used in future attempts), but also your password to that account. Since many people use the same password over and over, this means that bad guys may have access to other accounts. For example, if firstname.lastname@example.org uses the password mydogsname for their MyFitnessPal app (which was previously hacked), they may also use that same combination for Amazon. Bad guys will attempt to use that combination on Amazon. Now the bad guys can order from Amazon and email@example.com will receive the bills.
How can you tell if your email has been breached?
Have I been pwned
is a web site where you can enter an email address to see if it is available to phishers.