Recap of Part 1: Shelby Tortoise and Bugsy Hare were two employees with contrasting approaches to their work and cybersecurity practices. Shelby was diligent and careful, while Bugsy was fast and careless. Both applied for a new management position at the university.

One day, as the two of them were waiting for the decision on who would get the new position, they both received suspicious emails that would alter their career trajectories with the university. Who would win the race for the promotion, the Tortoise or the Hare?

After the interviews were completed, everyone, including Shelby, assumed that Bugsy would win the promotion. He was getting more work completed due to his harried work operandi. He’d buzz into the office in the morning, eating a breakfast sandwich and drinking an iced latte as he worked. Meanwhile, Shelby was putting in extra hours, coming in early and leaving late, trying to keep up. To the observer, it looked like Bugsy was running circles around her.

Shelby received an email from one of the university’s vendors stating that there was an outstanding invoice and a wire transfer was needed immediately, or the university’s internet service was going to be terminated. The email contained a link to the vendor’s website where immediate payment could be made. The email looked legitimate, but it made Shelby nervous because she’d never received an email from this vendor, and the email made it sound like this was an urgent matter. She remembered from her cybersecurity awareness training that one of the things bad actors did in phishing emails was use a sense of urgency to try and trick people into giving up information.

Shelby also remembered the message that the university’s InfoSec department kept repeating, “If you suspect something, report it.” Shelby reported it to the Abuse Mailbox that InfoSec monitored and asked them if the email was legitimate. The InfoSec team investigated the email, told her it wasn’t legitimate, and thanked her for reporting. She was very proud when she received an email from the university’s Chief Information Security Officer (CISO) thanking her for catching this and saving the university tens of thousands of dollars. The CISO cc’d Shelby’s manager on the email. Shelby’s manager congratulated her and thanked her for being so diligent.

Meanwhile, Bugsy received an email from the university’s IS&T department stating that there was a problem with his network account and that he needed to fix it immediately. It instructed him to click the link in the email and provide his login name and password. Being in his usual hurry, he clicked the link, entered his login name and password, and hit submit. He thought nothing of it since the login page looked like one from the university. A minute later, he received an SMS text with his MFA/2FA code. He promptly entered it into the login page, and the page was closed. Bugsy continued his work. When Bugsy clicked on the link in the phishing email, the bad actor not only stole his account access but downloaded malware onto his computer that would give the bad actor access to Bugsy’s computer anytime they wanted.

Next part: Check out IS&T’s blog space for part three (coming soon).

As always, if you suspect something, report it to abuse@chapman.edu.

 

Stay safe, stay vigilant!

Keith Barros

Chief Information Security Officer (CISO)

Chapman University

Next part: Check out IS&T’s blog space for the next part (coming soon).