Integrity and Compliance Office

VCU Blogs

Tricks, No Treats: An Update on All Things Cyber and Spooky

by Kimberly McQuillen

Compliance Corner – Issue 2.10

Once again, autumn is upon us. The days are shorter, the smell of Pumpkin Spice soars through the air and neighbors bedeck their balconies and yards with scarecrows, bales of hay and gourds of every shape and size. Orange and purple lights, faux skeletons and tombstones announce the appearance of trick-or-treaters, who will soon be making their way through the night to fill their sacks with candy.

As I wrote last October, Halloween – the spookiest of holidays – reminds us that there are those far scarier than the tween in the bedsheet and the Scream mask, making his way up the driveway. For October is Cybersecurity Awareness Month, and we all should beware of the truly scary among us: the cyber villains.

As we learned last year, those of us in higher ed are especially vulnerable to cyber attacks: colleges and universities employ thousands of people, storing their personal information in human resource databases; these institutions are designed for the sharing of information and open access; and cyber villains are drawn to sensitive information like research and intellectual property. Fortunately, we can each do our part to protect important data by following VCU’s Information Technology Policy Framework. This framework contains university policies, standards and guidelines to keep those wishing to do dastardly deeds to our data – both personal and institutional – at bay.

I decided to check in with two of VCU’s biggest data defenders: Dan Han, Chief Information Security Officer, and Chelsea Bryan, Jr. Security Operations Analyst, to find out what’s spooky in cybersecurity right now.

According to both Han and Bryan, there are plenty of tricks – and no treats – this year.

Much of what the cyber baddies are up to these days continues to center around scamming. A glance at this list – with examples from scams targeting VCU employees and students – is enough to stand your hair on end.

  1. Job scams – These are phishing emails that look like they’re from a legitimate source, like a professor doing research at VCU.

Han says, “Scammers will always try to lure their victims with easy pay and remote work. If it sounds too good to be true, it is probably a scam.” If you receive an email like this, Bryan says you should “cease any further communications with the scammer via email or other means like text messaging. These scammers will use any information you can provide to utilize for other scams in the future.”

  1. Google Drive phishing scams – Bryan agrees with Han that the job scams are spooky, and goes on to say that, “the Google Drive phishing scam is also very active and spooky in the VCU environment.”  In this scam, victims are tricked into opening a document that has been “shared” with them, then are forced to enter their username and password:

In this example, there is a warning that the sender is from outside your organization.

  1. Generative AI – While Han admits that there are many positives to AI tools like ChatGPT, he cautions that, “we must keep in mind that there may be security implications when uploading sensitive or proprietary information to these tools, as they usually operate on an open model and the data we upload to them can be retained and used to train the AI, and as such may also be retrieved by individuals with no authorization to access that data. The upload of sensitive data to these tools must be avoided.”
  1. General phishing – Says Han, “Scammers have not stopped phishing. Since it works so well, these scammers are devising new ways to trick us into clicking on links or replying to them. Verifying the sender’s authenticity and questioning what is behind a link is critical.” Bryan offers an all-too-familiar example as proof: Have you heard of the infamous “free piano” scam? In this scam, the phishers entice the victim into replying to an email (through a very believable story, often involving a recently departed relative who used to own the instrument) to find out how to pick up the free piano:

The catch? To receive the free piano, you must first send money to a moving company to cover the “delivery fee.” :   

For all of these scams, Han and Bryan warn that you should never enter your username or password or send money. What you should do when you suspect that you’ve been cyber-targeted through your work email by someone spooky, is forward the email to the Information Security team at infosec@vcu.edu. They’ll analyze it to determine whether data may have been breached. And if you’d like to learn more about the scams this team has been investigating and the latest and not-so-greatest scams you should be wary of, take a look at their blog, the Phishing Net: Phishing Scams and Schemes Unveiled.

So, as you enjoy the chill of the autumn nights, sipping your Pumpkin Spice latte and waiting for the costumed marauders who come in search of candy, also be on the lookout for the truly scary creatures lurking in the cyberspace: those pretending to be professors, colleagues and kind-hearted people wanting to pass on the beloved instruments of their loved ones to you. Their tricks are no treats!

If you have an idea for a blog that has to do with ethics, integrity or compliance, please contact Kim McQuillen at mcquillenka@vcu.edu. We’d love to work with you!

Tagged , , , ,