Phishing 2 1000×400

Tucked away in a small dark office in the Central Services Building, Patrick Feehan is hard at work. In fact, Feehan, the College’s director of information security and privacy, may just have the hardest job at Montgomery College—convincing students and faculty to be less curious, at least online or in their email.

Feehan, along with his team, is on a mission to make email and internet users more skeptical. With summer approaching, you may be tempted to click on a link in an email or ad saying you could quickly lose weight, but Feehan warns beware. “You click on it and it may load malware to your computer, which encrypts every file to which you have access,” he says. And the “bad guys” will then demand ransom to un-encrypt your folder, threatening to destroy your files if you do not pay.

The Phishing Team

Nell Feldman, Patrick Feehan, and Annie Shane

Feehan and rest of the IT security group are, in many ways, the College’s cybersecurity detectives. They work proactively to keep systems and users safe from those aforementioned bad guys by searching out the latest threats, preventing known scams, and jumping into action when problems arise. It is a big job. In a single month, the College receives 10 million emails—85 percent of which are blocked before they even get to the user, marked as spam.

Phishing emails are an increasingly common and sophisticated threat. Nell Feldman is Montgomery College’s IT security manager and a certified information systems security professional. She says phishing emails and other scams are “preying on human vulnerability,” as in the case of the miracle weight-loss cure—and trying to socially engineer the user into making a bad decision.

In a single month, the College receives 10 million emails—85 percent of which are blocked before they even get to the user, marked as spam.

In a phishing attack, the sender might lure you to a website—it might look just like a site you are familiar with or use regularly so you enter your password and user name. Once the “bad guys” have your credentials, they can access anything you can.

That’s what was behind a strange call Feehan got one day from a Michigan dairy farmer. The farmer wanted to know why the College was sending him emails saying he had won the lottery. An MC user had given up his or her credentials, giving the phisher the ability to send emails from the College.

A form of phishing called business email compromise is particularly sinister. The sender will say he or she is  someone high up in the company or the College and target certain users who they know will respond to that person. “They prey on the user’s fear of a powerful individual,” Feldman says.

If you suspect an email is phishing, Annie Shane, policy and planning analyst with IT security, has some good advice. “Report, report, report,” she says. Reporting helps IT block malicious content or users, especially those who were not previously known. College employees can click on the “Report Phishing” button in their email.

To help get the word out about phishing, Shane offers training workshops and also sends out mock phishing emails—a memorable one she sent told users they had a secret valentine—then publicly shares how many people reported the phish, how many people opened the email, etc.

What if you are not sure?  The team has the ability to check an email on a virtual machine (which works in isolation so no additional users are impacted). If it is okay, they will simply send it back. And Shane says you never have to worry about reporting too much. “Over-reporting is the best problem we can have!”

If you do get “hooked,” the IT team will take a series of steps to help. Feldman says sometimes bad things are hidden so just changing your password won’t always be enough. For example, the bad guys could update your email signature with a dangerous link or add rules to your email causing certain items to be deleted.

The team has some other great tips for surfing online, including:

  • “Just ask.” Not sure if your bank, co-worker, or friend was really the sender? Ask first, open later.
  • Beware of emails with aggressive or threatening language which may, for example, tell you your account will be deactivated or your privileges revoked.
  • Don’t give out information like your password (IT will never ask for this) or click on a link, even if you think it is safe. Sometimes the sender will hide the real URL behind an innocent-looking link or add something to it—instead of www.montgomerycollege.edu, for example, the link will read www.montgomerycollege.edu.college.com—so it is always better to simply go to the site yourself.I didn't take the bait
  • Beware of bad grammar or impersonal greetings, and don’t be fooled by anything offered for free. “Free should set off alarm bells,” Feehan says.

Ultimately Feehan says they just want to keep every user and the College community safe. “We are always looking for ways to improve safety without impacting the College mission. We want to help people do what they need to safely.”