By Rob Lowden
Executive Associate Dean and Chief Information Officer
Did you get an urgent email from the Dean to go Phishing?
Hopefully not, but unfortunately bad actors continue to invest substantial time and resources in business email compromise and email account compromise. According to an FBI 2018 report, scams have reached $12.5 billion worldwide. E-mail fraud attacks impact us all and in our busy daily lives have become much more than inconvenient.
In my first three weeks in the inaugural role of executive associate dean/chief information officer it was no surprise to me that I was quickly called into an email incident involving a malicious attempt to alleviate some of you from the substantial burden of that excess cash in your pocket. (No, Dean Hess wasn’t sending emails asking colleagues to buy him gift cards– and thanks to the many people who alerted us to fraudulent messages.)
As is often the case, this phish involved an outside email address trying to masquerade as an official, legitimate communication.
Knowing these three quick steps could protect you, your colleagues and our school.
- Recognize: Verify the sender is who you think it is.
- Rethink: If you can’t verify the sender, do not click at all.
- Report: Suspect it’s a phish? Send the alert.
How might you have known that it truly was not Dean Hess? First, look for a digital signature, which is a unique digital mark that verifies that an email message originated from the signer and that it has not been altered; Dean Hess utilizes a digital signature on all of his devices.
Additionally, you might consider activating external email flagging which helps you stay aware of potential phishing attempts by adding a brief notification to each email message that you receive from non-IU senders. In this case, anyone who received the phish would have been alerted that the message wasn’t from the dean’s IU email.
When you suspect a phishing attempt, report it. This can be done a variety of different ways, but the simplest option often only involves one click. The Report Phishing feature button in your Outlook client quickly and easily enables you to report a phish and sends all of the required information directly to the security office for immediate action. This is especially helpful, because phishing scams that are promptly identified can be stopped, and your colleagues can be protected.
In Outlook for Windows, you’ll find the reporting button on the top right of your home tab. For Mac users, you will need to click on the questionable message in Outlook and then launch the Report Phishing application in your Applications folder.
You are not in this alone. Fortunately there are a variety of tools that can help you avoid the disruptive impact of a phish. You can easily add a digital signature to your emails, flag external emails, update your passphrase and take other steps to keep your IU accounts safe through the IU Security Center.
One of my goals as CIO is to ensure IU School of Medicine stays at the forefront of digital security. But even with IU’s sophisticated security measures, you are still the best defense against phishing emails.
As IU School of Medicine’s inaugural chief information officer, Rob Lowden is responsible for developing and implementing a comprehensive information technology strategy for the largest medical school in the United States. He leads the development and optimization of school-wide information systems, technologies, applications, and services, and oversees strategic IT alignment with partners such as Indiana University Health and the Regenstrief Institute.