SECURE IT - 2019 November

Holiday Phishing Expedition

Please be extra vigilant of phishing attacks during the upcoming holidays. Scammers try to take advantage of your holiday spirit, and the hustle and bustle of increased online activity. We have seen an uptick of Business Email Compromise (also known as CEO Fraud), where cybercriminals try to impersonate a colleague. They attempt to get you to execute an unauthorized wire transfer, send out confidential information, or purchase gift cards.

These phishing attacks use social engineering to prey on your good nature. Because they are targeted individual attacks rather than mass-email to the WPI community, they are not stopped by spam filters. They require recipients to be actively aware. This example shows the first stage of the attack where the attacker attempts to begin a conversation:

You can protect against CEO Fraud that appears in your inbox by:

1. Checking the From: address of the email. If it is not @wpi.edu then it is spoofed.
2. Investigating unusual email requests. If the email seems out of character for your executive or colleague then contact them by another means using the contact information in your official department directory. If you don’t know their contact information reach out to someone who does.
3. Reporting CEO Fraud emails to IT and discuss with your colleagues. CEO Fraud targets specific groups of people so discussing raises awareness for everyone.

Multi-Factor Authentication

Currently, Multi-Factor Authentication (MFA) is required for login to Workday and Salesforce, whether connecting from the WPI network or remotely. A pilot is underway to enable MFA for all applications that use Single Sign-On functionality when accessed remotely for select staff members that have access to sensitive data. This will better safeguard WPI data by facilitating an additional layer of security when off-campus. Information Technology (IT) and select Student Affairs staff began the expanded usage on November 14.