The days of a king or queen from a faraway land sending tremendous riches for responding to an email with your bank account number are not as numerous. It's not because scammers have gone away. They are just more sophisticated.
October is cybersecurity awareness month and the Center for Cybersecurity Innovation and Outreach (CyIO) hosted its first fair last week. Faculty, staff and students saw how important cybersecurity is and how easily information can be exploited.
"We want to raise awareness of the things that don't get stopped by information technology services (ITS) because they do a good job behind the scenes that most people never see," said CyIO director Doug Jacobson. "We are taking the next step from awareness to trying to better educate people on what they can do to protect themselves."
Jacobson said education is key because attacks are more often directed at people rather than technology because of advances made over the years.
Passwords are a part of daily life for everyone on campus, but the key is to create strong ones.
"A strong password is a long one because length is probably more important than all of the magic characters," Jacobson said. "The amount of time it takes to break a password is directly proportional to its length and the complexity of it."
For people who change passwords often, Jacobson recommends creating a strong front half of a password and tweaking the last few digits. If the password is strong enough on the front end, someone trying to steal information likely would never get to the back half, he said.
Multifactor authentication is required at Iowa State, and Jacobson said is a "relatively painless" way to add another layer of protection.
Reusing passwords on multiple websites is dangerous because they can be stolen from a third party and used without your knowledge. Multiple passwords limit what information scammers can access.
There are several ways to keep your passwords safe. Using a virtual private network (VPN) creates a secure network from a public internet connection to offer online privacy. Never share information on a website not secured with the small padlock in the left-hand corner of the address bar in a browser, Jacobson said. Information transmitted on secured sites hides data like passwords and credit card numbers.
Phishing is a cybercrime where people are contacted by email, telephone or text message by someone posing as a legitimate institution seeking sensitive data like bank or credit card numbers and passwords.
"It changes constantly, and they are very adaptive because once we learn what they are doing, we tell everyone," Jacobson said.
Skepticism anytime a business like a bank or credit card company tries to reach you through email or text is key, he said. Avoid clicking on links in an email and go directly to the source by logging into a bank's official website or physically going to the building.
Recent email phishing scams have scammers posing as a friend or family member reaching out for financial help, usually in the form of gift cards. Jacobson said the key is not to engage and delete the email or text.
"I don't recommend this for anyone, but I spent two or three hours interacting with someone posing as a friend asking me to give them $500 in gift cards," he said. "I think they eventually figured out what I was doing, but I thanked him for providing me with a whole series of screenshots I could use in my class."
A password sniffer is a software application that allows hackers to steal usernames and passwords by observing and passively recording unencrypted network traffic.
"For about $100 I can buy something that will sniff passwords on the internet," Jacobson said.
Only use encrypted wi-fi networks while visiting secure websites or use a VPN to prevent a password from being stolen.
What to do?
Anyone on campus who may have been part of a phishing scam or other cybersecurity attack should report it immediately to firstname.lastname@example.org. Anyone who clicked on a link or otherwise engaged in a cybersecurity threat should change passwords.
"Usually people contact us when they don't know and we tell them, 'Even if you are not sure, reach out to us,'" said Linda DeSchane, IT Solution Center customer success analyst. "Sometimes they send us screenshots, which are fantastic."
Reporting suspicious emails is important because ITS can review email logs and see if it is a larger problem on campus. ITS also can block a sender's email address or the sites that links send people to.