Carondelet Catholic School Tech Help

Good afternoon staff,

Please make every effort to go over this email, as security is important for everyone!

I'm resuming our series A Byte’s Life, from a 2 year break... Our article today is: What is a spoofed email?

Feel free to grab your favorite snack to take a break from a hard morning’s work and enjoy the following article!

Although some may think that teacher data is not as crucial to protect because it’s all school work that typically nobody would be interested in it, I contend to disagree. Our goal as faculty members is not only to protect our school work data, but also we need to work together to protect the privacy of our students, the integrity of our devices and accounts. When these resources are compromised or lost, it can cost the school money. Regardless of whether we just store lectures, and student work, having a compromised email address, web browser, or computer, malware that may communicate back to bad actors can help find their way to our entire school and get a hold of financial information which can affect your paycheck! 

Again, we can be the portal for bad actors to find the people with important information or places with important information and exploit those. Our Student Information System (SIS) can become compromised, giving bad actors access to student personal identifiable data, including parent email addresses which can then also be targeted spreading the joy of malicious code. If nothing else, your computer could become infected and you may end up losing account username and passwords, and other private data you access on your school computer/device. That also adds repair time for the technician (me) that needs to remediate the security risk, down time for you as a faculty member because your computer will need to be rebuilt, etc. 

I personally don’t take security lightly, and the last thing I’d like to do is foster a relaxed non-security-aware atmosphere. Hence, the articles I will continue to share periodically.

Spoofing of an email typically happens when a bad actor finds contact information of people and uses that as a front to cause harm.

I am literally pasting an excerpt of the SANS article found here, but condensing some of the information to avoid having you read the article in its entirety. However, if you would like to read the entire article, feel free as well! (P.S.: you’ll get a golden star for reading the entire article  )

“In the classic CEO Fraud scenario, a criminal either hacks or spoofs an executive's email account. The criminal then masquerades as the executive and sends a request to an employee who handles payment transfers and requests a wire transfer.  This is where social engineering comes into play.

The message is often sent with a sense of urgency, or possibly while the executive is traveling or at the end of the work week. The criminals play on human emotions knowing that no employee wants to disappoint his boss and everybody wants to get the work week wrapped up successfully. All too often, the employee believes it is the executive sending the message, and executes the transfer.”

From reading some of the spoofed emails we’ve had in the past, the messages we are getting don’t necessarily request us to transfer any money. However, we are asked to reply back to that person stating whether we’re available or not. By the simple fact of opening or responding to an email, our devices could be compromised.

Again, in school scenarios our Principal is most likely to be spoofed, but that is not always the case.

What to do?

When in doubt, ask yourself whether you have requested information from a specific person. Second, if the answer is no, do not open the message, please email the person separately to see if they have reached out to you in the first place. Please do not reply to the questionable email. If you’d like to verify the validity of the email please send me atech request via techhelp@carondelet-mpls.org email, but do not forward the email. 

Protect yourself and other by:

1. Not sending username and passwords via email, not even students' account information, please!
2. Do not send banking information via email either, please call the entities involved in a banking situation and work with them, or consider handling these matters preferably in person.

Although you have a password for your email account, email is not safe and it's not encrypted so any bad actor that knows how to get your data will, even without your help, thanks to spoofing. Later in the year we will require everyone to use Two Factor Authentication for email, so please stay tuned!

 As mentioned before, if you need to change an account’s password, it is strongly recommended to go straight to the vendor’s site vs clicking an embedded link on an email, especially if we did not request the account change.

Now more than before, we need to make sure we’re keeping our systems secure, not just for us but for the families we support!