[intro]
Wendy Battles: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: I'm James Tucciarone. Together, we're part of Yale University's information security, policy, and awareness team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hey, everyone. Welcome to another episode of the Bee Cyber Fit podcast. We're excited you're here and hope you are ready to get cyber fit with us. If you're a new listener, welcome aboard. This is the place to come for information and inspiration to stay safe online and outsmart cybercriminals. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students build their cyber muscles. James October was super busy with Cybersecurity Awareness Month. We hosted some great events and created multiple opportunities for our Yale community to be a Yale cyber hero. It was fun. What was the highlight for you?
James Tucciarone: Well, I'd have to say I really appreciated the events that we participated in that were hosted by other organizations, in particular the National Cybersecurity Alliance, which co-sponsors Cybersecurity Awareness Month. It was great to be able to offer the Yale community events from a broader perspective and also to have an opportunity for folks to compare their thoughts with those of people from other organizations. It was also really nice to sit back and be a participant for a change.
Wendy Battles: Oh, my gosh, it totally was. I loved it. I also loved our Kahoot. If you haven't heard of or played Kahoot, it's a fun learning tool where you compete against fellow colleagues or students in a friendly competition. We shared all kinds of questions to build cyber know-how, and we also threw in some superhero questions that actually, James, really stumped me. So great job putting those together.
James Tucciarone: Our Kahoots last month were really great, especially because they were so interactive and our community had a lot to say and a lot to share. And that's what's best when people are so eager to share their cyber knowledge and their experiences with each other.
Wendy Battles: Totally. It makes such a difference when we have this collaborative environment and people in the community are learning from each other. I'm excited for today's episode because we're talking about our current cyber security awareness campaign, Click with Caution. Recognize, relax, rethink. We're talking about the power of mindfulness to help us make better decisions when it comes to people trying to trick us. But before we get started, let's find out about our buzzword of the day and our campaign theme social engineering.
[music]
James Tucciarone: Have you ever received an unusual or unexpected email or message? Or has a stranger ever sent you a friend request on social media? Or have you ever received news about an offer or giveaway that seemed too good to be true? These are all common red flags of social engineering. Stay tuned to find out more about what social engineering is, how to spot it, and how to avoid falling victim to a social engineering scam.
All right, Wendy, let's chat about our Click with Caution campaign and why it's so important. In recent months at Yale, we've seen an uptick in phishing messages, the type of phishing messages that can be so realistic, they've even fooled some in our community into clicking on links. And in some cases, clicking on these links has unintentionally given cybercriminals access to Yale systems, we definitely want to avoid that. And so, our campaign focuses on the idea of being mindful to be cybersafe. And in our last episode, you might remember, I alluded to our three key ideas of being more mindful, recognizing, relaxing, and rethinking.
Wendy Battles: James, mindfulness is such an interesting concept, and I like how we're associating it with clicking with caution, because we are often too quick to click, and that's exactly what we're trying to steer clear of. And truth be told, it can happen to any of us in this distracted, multitasking world in which we live.
James Tucciarone: And that's where our recognized, relaxed, rethink model comes in. These three behaviors make up our foundation of being mindful, and ultimately, being mindful is really all that it takes. So, let's jump in and start with the first R, recognize. And not to pat ourselves on the back, Wendy, but this is where Yale's cybersecurity awareness program can really be helpful. Knowing about the tactics that cybercriminals use to trick us is critical in being able to identify social engineering. Phishing and the emotional hook are two pieces we often discuss. But cybercriminals are smart, and their tactics continue to evolve and that makes it so important that we continue to be in the know.
Wendy Battles: Absolutely. Recognizing is such an important first step, which leads us to the second one, which is to relax. Have you ever noticed that you can make better decisions when you're more relaxed? That you're less likely to make decisions under duress? When we slow down and pause, we're often able to make those better decisions, like, “Should I click on the link in the email in front of me that seems a little weird.” When we slow down and we're more mindful, we can tune into that gut feeling that usually steers us in the right direction, our Spidey sense, so to speak. And I'll just say that mindfulness, James can manifest as pausing for a moment, doing some deep breathing, getting up and stepping away from your desk, walking around for a minute or two. Those are all ways we can be more mindful, take that pause, and then consider that next R.
James Tucciarone: That's right. And we say it all the time. It's best to go with our gut whenever something seems off or suspicious. So, finally, let's talk about the last R, rethink. So now we've recognized something doesn't seem right, we've taken a moment to relax and pause before we take any action, and our final behavior is about rethinking the best way to react. Maybe responding directly isn't the best approach, and if we felt something was off, it probably isn't. Maybe we should consider reporting the message, reaching out directly to the person who appears to have sent it, or asking our leaders or experts for help. This is such an important behavior because how we respond ultimately determines whether the cybercriminal's attack will be successful.
Wendy Battles: I really like what you just said, because in rethinking, I heard you say that we have many different options, not just one, but there are many things we can do other than clicking on that link. There are people we can go to, we can ask for help, many ways for us to figure out if something is legitimate or not. James these three components recognize, relax, rethink truly do work together to help keep us safe online.
James Tucciarone: They sure do. So now, that we've talked about how we can be mindful to avoid social engineering, let's share a story about what can happen if we do fall victim to a social engineering scam. And Wendy, I think you've got one to share with us today.
Wendy Battles: I do, James. And this might feel a little bit like I could see how that might happen here, but hopefully, it won't because we're doing the things, we need to do to prevent it. But it happened on a university campus. It was Baruch College in New York City, and the impact of clicking on a link had far-ranging ramifications. In this case, this incident was initiated by a malware attack. So, someone clicked on a link in an email that loaded malware onto their computer, which ultimately caused a campus-wide system outage. And, if you can imagine this, James, Baruch had to disconnect from the Internet. So right there, let's just imagine if something like that happened here. We are so dependent on the Internet and have connections to things for so much of the work that we do.
So, all of a sudden, not being able to do those things that we're expecting to, that's disruptive. It was intensified by the fact it was the start of the academic year. People were just getting back to campus, and all of a sudden, we had this major disruption. As a result of that, they had to remote classes via Zoom. So, thoughts back to the pandemic and the campus was closed to nonessential faculty and staff. So, imagine we just get there and now they're telling us we can't be on campus to teach in person and do the things we do on campus as staff. That's disruptive. Then, to make it even worse, they had to extend their remote learning for the better part of a week. So, imagine now there's a lot of communication going back and forth. Not everyone is getting the same messages or interpreting them. There is some confusion. People are concerned. It's not the best situation. Ultimately, they began to bring people back with a phased approach, but it took them quite some time to resolve everything.
James Tucciarone: This story definitely hits close to home and one of the most striking things for me is the length of time that the community's operations were affected. According to The Ticker, which is Baruch student news, after two weeks, even though substantial progress had been made in restoring the network, they were still working on restoring some department devices. And it really reinforces the question, would you rather take the time for due diligence or risk losing access to your critical services and infrastructure for an unforeseen amount of time?
Wendy Battles: This is a telling story, James, about what could happen and certainly what we're working to try to prevent at Yale University, but it gets us thinking about our actions and how any one of us inadvertently could take an action. Not that it would ever be necessarily that big, but that could have other ramifications. So, clicking with caution, that idea of recognizing the issues as best we can, relaxing and taking a pause in a mindful way to consider things, and then rethinking what the approach might be, could potentially prevent something like this. And this is why we do these campaigns. And now let's hear more about that buzzword of the day, James, that you teed up before social engineering.
[music]
James Tucciarone: Here's the buzz on the manipulative tactic known as social engineering. Instead of relying on technical tactics, social engineering is based on the science of human motivation. These tactics use psychological manipulation with the intent of tricking people into some sort of action. While we would normally think twice about things like sharing sensitive information, downloading questionable software, visiting unfamiliar websites, or even sending money or gift cards, social engineering is designed to make us behave against our better judgment. And it's because of the effectiveness of social engineering that cybercriminals rely on it for an estimated 98% of cyberattacks. Since there are many different approaches social engineering can take, let's break a few down. Hopefully some we're probably already familiar with, as well as some other common types. Phishing and business email compromise, also known as BEC, use emails that appear to come from a legitimate source.
With BEC, this is typically someone in a leadership role. Phishing and smishing are similar to phishing but take place over voice calls and text messages respectively. With spear phishing, bad actors conduct research on and then target specific individuals. Angler phishing takes place over social media, with cybercriminals masquerading as trusted brands and companies. Baiting is a common technique intending to excite and lure a victim with prizes, free offers, and even physical things like USB drives. Now that we know more about social engineering and some of the techniques used by bad actors, let's review a few common red flags that could indicate a social engineering tactic. Social engineering attacks frequently include at least one of the signs described in our FUDGE model, fear, urgency, the desire to please, greed, and emotions.
Most of us have likely encountered the common tactic of a simple email with suspicious links or attachments. On social media, we might get a connection request from someone we don't know, a duplicate request from someone we're already connected with, or even unsolicited direct messages. Let's wrap things up by covering a few things we can do to help avoid falling victim to social engineering scams, and we may already be doing some or maybe even all of them. Don't click links or open attachments in messages from unknown senders. Use strong passwords and passphrases and add multifactor authentication wherever possible. Back up your data and review your security settings regularly. Finally, avoid publicly sharing personal information on social media. And don't forget to keep listening to the Bee Cyber Fit podcast, where we're simplifying cybersecurity and helping you to be aware, to be prepared, and to be cyber fit.
Wendy Battles: We've talked about a lot of different things in this action-packed episode. About our current campaign, Click with Caution, Recognize. Relax. Rethink. We talked about this story at Baruch College that is eye-opening about what we really hope to prevent. It's time for some calls to action and there are three ways we encourage you to get involved. This month in November, we are hosting a series of events in support of our current campaign, and we invite you to attend one or more of those things. You will find the link in the show notes to get all the details about what we have going on this month. Two, we invite you to test your knowledge and complete our self-paced Kahoot. We mentioned Kahoot at the beginning of the episode. It's this very cool tool where you can compete against your colleagues, but there also is a self-paced version. So, at your leisure, you can try this out for yourself and figure out how much you know about Clicking with Caution. And finally, we invite you to review our Click with Caution page. We have all kinds of resources and information to help you stay safe online and protect your data and systems.
James Tucciarone: We sure do, and our events are really exciting and interesting this month as well, and hopefully you'll be able to join us.
[music]
For now, that's our show. So, until next time, I'm here with Wendy Battles. And I'm James Tucciarone. We'd like to thank everyone who helped make this podcast possible. We'd like to thank Yale University, where this podcast is produced and recorded.
Wendy Battles: Thank you all for listening. We truly appreciate it. And remember, it only takes simple steps to Bee Cyber Fit.
[Transcript provided by SpeechDocs Podcast Transcription]