My DioErie: Computer Security Awareness Training


Computer Security Awareness Training Logo image

Did you know that 95% of cybersecurity breaches are due to human error? Criminals know the easiest way to access secure networks or steal data is to target people who already have access and steal their login credentials and other critical info.  The point of computer security awareness training tis to heighten the chances of catching a scam or attack before it is fully enacted.

Click on a topic below to learn more.

Computer Security Awareness training - Social Engineering: The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force. Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. Common scenarios:

•   Pop inspections: Beware of the man with the clipboard! Just because they appear to have the appropriate uniform and credentials it doesn’t mean they are legit. Check with management to see if anyone claiming to be an inspector or another person not commonly seen in the building is legitimate. Don’t trust the “inspector’s” business card. Find contact information for their home office through independent means.

•   Unscheduled Tech Support calls or visits: unsolicited calls or visits from “tech support” should be a red flag.

•   “Act Now” urgency requests: Scammers hope to bypass your rational thought by creating a false sense of urgency. Tell them to come back later and do some research.

•   My boss is going to be mad: Fear is a powerful motivator don’t let it short circuit your thought process. Take a moment to do some research (through independent means) or enlist a co-worker’s help during a stressful situation.
This very sneaky scam attempts to capitalize on Zoom’s popularity during the pandemic.

How do I know this is a scam:
• The first clue was the person this scam was sent to was not expecting a zoom invite for this date/time
• The scammer tried to make it look like the email came directly from Zoom Video Communications. But the FROM address doesn’t include Zoom’s domain name - zoom.us. Instead the email is coming from h.rwl.mjwbol.com
• Even though they tried to make the email look like it came directly from Zoom, scam invitations usually come from the host’s mailbox or at the very least his/her administrative assistant. Either way, it should come from someone familiar or expected. In this case, the invite appears to come from amwelsh but the domain name includes @h.rwl.mjwbol NOT eriercd.org.
• When you hover over the “Review Invitation” link (as shown in the screen print below) you’ll see the invite doesn’t go to a Zoom.us link. It goes to a t.mail.bos.com account./div>
Picture of Email scam
Videos tips from the FTC and BBB on how to avoid Coronavirus scams.  Video length is approximately 22 seconds each.

Tip  1 - Hanging up on robocallers
Tip  2 - Avoid vaccination and home test calls
Tip  3 - Fact check information
Tip  4 - Know who you are buying from
Tip  5 - Don't respond to calls, texts or email about government money
Tip  6 - Don't click on links from people you don't know
Tip  7 - Watch for emails claiming to be from the CDC
Tip  8 - Do your homework when it comes to donations
Tip  9 - Watch out for phishing emails and text messages
Tip 10 - Stay in the know
Tip 11 - When you spot a scam, report it to the FTC

Visit ftc.gov/coronavirus and bbb.org/coronavirus to learn more.
When you receive an email with links to other web pages or clickable buttons, even if you think you can trust the sender, be careful. Check out these 3 red flags for identifying potentially dangerous email. If an email contains these 3 flags, close it and address a new email to the sender.  Asking them if the email is legitimate is better than dealing with an infected computer or a stolen identity.
Phishing scams aim to acquire valuable personal and financial information such as your Social Security number, credit card details or passwords for online accounts.  Malicious individuals use this information to steal your identity and your money. The term was coined in 1993.  Perpetrators “bait the hook” with attractive messages meant to “lure” victims in from the “sea” of the internet.   Violating your privacy and security is sport for these anglers.   Although many phishing schemes arrive in email, they can come in many forms, including social media, pop-up ads, phone calls and texts.  Learn more:

* From the Federal Trade Commission
* From AARP


Tech support scammers want you to believe you have a serious problem with your computer, like a virus.  This 3-minute video https://www.youtube.com/watch?v=THYmUx3ofJk teaches you how to spot a scam.  Visit https://www.consumer.ftc.gov/articles/how-spot-avoid-and-report-tech-support-scams for more information from the FTC on tech support scams.
What is the goal of this scam? The goal of this scam is to steal your personal information, perhaps install destructive software to ransome your files and folders, and charge you money while they're at it.

How does it work? You receive a call or an email from someone claiming to work for Microsoft. They may tell you that they have discovered that your computer is infected with viruses - sometimes hundreds of viruses. They urge you to let them log into your computer remotely. Once you give them permission and access, they charge you a fee and then they proceed to steal information and/or plant harmful content.

How do you tell this is a scam?
  1. There is no ErieRCD.org "Team".  There is just Kathy Papalia.  
    (Note:  The scammer signed the email with the RCD in uppercase like we do on the website.  That means they visited/stalked the website to make sure their email looked legitimate.)
  2. Security emails would not trigger the “external sender” disclaimer.
  3. The sender says “ErieRCD.org Admins” (again incorrectly plural) but the email address is coming from a .jp domain.   .jp indicates a domain in Japan. 
  4. Office 365 does not require you to click email links to “enhance email functionality.”
  5. The links in the picture are dead now but when I hovered over the links in the email, I discovered 2 errors.   
    1. The “Update Now” link, it goes to a “phoneyouth” website which is not affiliated with the diocese at all.
    2. The "Unsubscribe" link also goes to the same “phoneyouth” website.  

      (Always HOVER over links in suspicious email to see if they go somewhere other than where they say.)
Pictured of email scam

What is the goal of this scam? The goal of this scam is to steal your login credentials.

How does the scam work? When you click the Release Message button and enter your login credentials, they record your login credentials, log into your email account, violate your privacy, steal information, send email on your behalf and sell your credentials to another malicious individual.  Why would they want to send email on your behalf?   Because that lends credibility to their harmful content.

How do I know this is a scam?

1. Security alerts would come from your email host NOT a random third party - in this case the hacker's email ends with genesiscotractinggroup.com.  Email from the Diocese would always end with eriercd.org.
2. If you hover over the Release Message button, the hint box should reveal a Microsoft web address not a random third party address. According to the hover hint seen below, clicking the Release Message button would take you to venaax.com - a hacked or potentially dangerous site.

What should you do if you receive an email like this?  If you receive a security alert regarding your email account, call the people who manage your email.  Confirm things before you click on a link in an email.   If you are sure it's a scam, delete the email.
Picture of Email scam