Learn:

Tax season brings a surge in phishing attempts trying to get you to provide your personal information. Scammers will send very convincing communications that impersonate the IRS, your employer, or even tax preparation services. 

To protect your paycheck, tax returns, and other personal data, do not provide any sensitive information until you are sure that you are interacting with a legitimate entity and never provide your usernames and passwords. 

To learn more about specific tax season threats, see the IRS.gov page about Tax Scams: https://www.irs.gov/newsroom/tax-scams-consumer-alerts.

Recognize:

Pay attention to the details. There are often discrepancies in the email itself that will give it away as a phishing attempt.  

What to watch for:  

• If it sounds too good to be true, it probably is
• Real organizations don’t use GMail, Yahoo, or Hotmail email addresses
• Misshapen company logos
• Generic greetings such as “Dear Customer”
• False sense of urgency, pressuring you to “act immediately”
• Odd lettering changes or suspicious grammar
• Requests to provide personal information such as your username and password or you social security number

For a detailed example of items to watch out for, see: Don’t Get Hooked. 

Report: 

Use the Phish Alarm Button

If you receive a suspicious email that you believe may be attempting to gather your private information, you should report it right away by using the Phish Alarm button available in your Gmail.

As we enter the holiday season, many people will be looking to find that perfect gift online. Unfortunately, cyber criminals will be active as well creating many online shopping scams to steal your information or money.

Online Payments

Use a credit card as opposed to a debit card for your purchases. Debit cards take money directly from your bank account. If fraud happens, you may not have the same protections as most credit cards have which could make it much harder to get your money back. Check your statements often; even weekly so you have time to notify your credit card provider.

Electronic Payment Services

Electronic payment services such as PayPal, Venmo, or Zelle are a great way to make payments without providing a credit card number or banking information, but they need to be used safely as well. Be sure to set your privacy settings correctly using these services. For example, the default privacy setting for Venmo is to post your transactions to the public. Also be sure to only use Venmo with people you know, especially if you are the seller. In many disputes, Venmo tends to favor the buyer over the seller and you could lose your money and the product being sold.

Use a Password Manager

Protect your online accounts by using a unique and strong password for each of your accounts. Can't remember all your passwords? Consider storing them all in a password manager such as 1Password, Lastpass, or Apple Keychain.

Scammers on Legitimate Websites

Beware of scammers on legitimate websites. Many websites such Amazon, Walmart, or Best Buy allow third-party resellers on their platform. Pay attention to reviews and seller feedback before making your purchase. Remember the adage, “If it sounds too good to be true, it probably is.” Review the online store's policy on purchases from such third parties. Be sure that you understand the seller’s warranty and return policies before you make your purchase.

Fake Online Stores

Criminals often create online stores that mimic real sites and brands. When you search for the best deals, you may find yourself at one of these fake sites. You may end up buying counterfeit or stolen items, or your purchase may never be delivered at all. When possible, purchase from online stores you already know or trust and bookmark these stores. Be suspicious of ads or promotions on search engines or social media feeds. Type the name of the online store or its web address into a search engine to see what others have said about it. Look for terms like "fraud," "scam," "never again," and "fake."

Beginning this year, and in conjunction with Cybersecurity Awareness month in October, there is a new mandatory Cybersecurity Awareness training available in Learning Space. Everyone is required to complete this course by November 1st so that we can provide you with the knowledge, skills, and tools necessary to combat cyber threats that could compromise our district systems and sensitive employee and student information.

Yearly Training Requirement

Each year we will offer a new course during Cybersecurity Awareness month in October and we will notify you when it is time to complete the training. You will have 30 days to complete the course.

 

Course Link

You can find this year's course at the link below, or by searching Cybersecurity Essentials in Learning Space. 

Information Security - Cybersecurity Awareness Training

Your passwords provide essential protection for your online accounts. By creating longer and more varied passwords, you are making them more secure and difficult to break. DPS has chosen to follow the recommended guidelines for passwords from the National Institute of Standards and Technology (NIST) to help ensure that your password is strong and to safeguard your information against hackers.

• Minimum Password Characteristics: 16 characters in length, an uppercase, a lowercase, a special character, and a number. 
  • Use a passphrase or short sentence to help you remember your password. 
• Do not share your password for any reason.
• Do not use the same password for multiple accounts, including your personal accounts (bank, social media, etc…). If you reuse your password for multiple logins, you are putting your online security in great danger.  
• Use a password manager.  These programs are designed to make unique passwords for each of your online accounts and stores them in an encrypted vault. The best part of using one of these programs is that the only password you need to remember is the one for your password manager.

If you have not updated your DPS password recently, change it now by visiting iforgot.dpsk12.org.

More About Securing Your Password

For more information about how to keep your DPS password secure, please see the following resources: 

• Information Security - Beyond Passwords
• Your DPS Password

The Department of Technology Services (DoTS) is committed to keeping our emails secure from phishing, viruses, malware and spam -- and you can help! It can be difficult to determine if an email message is spam or phishing, and knowing the difference helps you to decide how to report a message. Properly reporting a suspicious email really helps Information Security to identify dangerous messages and act quickly.

 

What is Spam and Why is it a Threat?

The motive behind sending spam email is to flood the email users on the internet with unsolicited commercial advertising for products that might seem rather suspicious.  

A spam email can eventually lead to a phishing attack by convincing you to purchase products, access websites, or forward the message to others. Spam messages constituted 54% of global email traffic in 2020. Spam email remains highly profitable due to the astronomically large number of unsolicited emails sent per day and the fact that the expense of these emails are borne mainly by recipients. The threat actor may only receive 1 reply out of 12,500,000 messages sent, but it is enough to profit due to the high volume of messages.  

 

Report Spam Messages in Gmail

By self reporting spam messages, Gmail is better able to automatically mark similar incoming messages as spam.

Place a check mark next to the spam messages in Gmail by selecting the empty box to the left of the email. You may be able to identify spam without opening the email, however it is also safe to open the email.

    

In the menu above your inbox, find the icon that looks like an exclamation point (!) in a Stop sign. Select it to mark the message as spam. You can also select ! (Shift+1) if you have Gmail keyboard shortcuts enabled.

For more information about spam and how to report it in Gmail, please see this tutorial. 

  

What is Phishing and How Do Phishing Scams Work?

91% of all cyberattacks begin with a phishing email. Phishing emails are a scam in which a threat actor masquerades as a reputable individual or organization to gain personal information or to hack a network with malware or viruses. 

Phishing emails are not sent in masses, are usually more personalized, and may seem to have come from sources you know such as your bank or a business like Amazon. These fraudulent emails are sent to gain personal information including your usernames, passwords, credit card details, and more in order to steal your identity.

A phishing email could also be an attempt to hack a network or infect it with malware by having you click on links or download documents. Threat actors are now favoring sophisticated campaigns which target specific individuals who have access to valuable data such as HR or finance employees. These messages are highly targeted, difficult to identify, and are sent on a small scale.

  

Report Phishing Messages in Gmail

Self reporting suspicious emails helps Information Security to identify dangerous messages more quickly to keep your information and network safe. The Phish Alarm Button is in Gmail like it was in Webmail before!

These instructions discuss the process when reporting a phishing message with the Report Phish Button.

  

Forward the Email

When accessing DPS email on a Mac, mobile device, or just don’t see the Phish Alarm Button, you can forward the suspicious email to ReportPhish@dpsk12.org. Delete the message after forwarding it.

  

I'm Not Sure if it is Spam or Phishing!

It can be difficult to tell the difference. When in doubt, report the email using the Phish Alarm Button.

For more information about how to recognize a phishing email, please see the following resources:

• Introduction to Phishing
• Awareness Video: What is Phishing?
• How to Recognize Phishing Scams

 

      

Did you receive new tech gadgets this holiday season? To help protect your information and keep your identity safe on all your devices, DoTS reminds team members to follow these cyber security best practices: 

• Make sure you change the default passwords on these devices. 
• Use different passwords for all your online accounts. 
• Consider using a password manager to set a different, long password for each website. That way, you only need to remember the password to your password manager. 
• Activate two-factor authentication whenever possible. This prevents hackers from accessing your bank accounts or other logins with only a password. Go to the security settings of each of your online accounts and turn on two factor authentication if available.

New Gadgets

New Gadget Security 

Did you recently receive a new gadget? The first step to secure it is to change the default administrator password to a unique login. 

Disposing of Your Old Device

Did this new device replace an old one? Make sure to perform a factory wipe and reset before disposing of the old device.

Connecting to Your Wireless Network

Ensure that only people YOU trust can connect to your wireless network. Enable strong security such as WPA2 or WPA3 if available. Ensure the password to connect to your network is strong and different than your default admin password.

 

Enable Two-Factor Authentication

Almost all social media sites have strong privacy options. Enable two-factor authentication for your accounts whenever possible. This adds a one-time code in addition to your password to log into your account. This is one of the most powerful ways to secure your account. You can download One Time Password (OTP) Apps for two-factor authentication such as Duo Mobile, Google Authenticator, or Okta Verify.

 

Use a Password Manager

Secure your Accounts

Secure each of your online accounts with a different, long passphrase. A passphrase is a password made up of multiple words, making it easy for you to type and remember, but hard for hackers to guess. 

Can't Remember all your Passwords? 

Consider storing all your different passwords in a password manager such as 1Password, Lastpass, or Apple Keychain. That way you only need to remember the password to your password manager but will have different strong passwords for all your online accounts.

 

Use the 3-2-1 Backup Rule

We all have valuable data we do not want to lose; baby pictures, financial records, our music collection. As the recent Marshal Fire has demonstrated, there are many ways you could lose your most valuable data. Beyond hard disk or other media failures, ransomware continues to spread each year. Hackers are trying hard to lock your data and force you to pay in order to get it back. Protect yourself by following the “3-2-1 Backup Rule” for all the data you do not want to lose. That is three copies of that data, on two different mediums (i.e devices), and at least one off-site copy. You would not want all your backups destroyed if you were to lose your home to fire, flood, or tornado. Also, to protect yourself from ransomware, keep one of those copies offline. The first thing a hacker will do before locking your data with ransomware is to find and destroy all your backups. If your only backup is online, there is a good chance the ransomware hacker will have destroyed it before locking your system.

Be Cautious of COVID-Related Phishing Themes and Lures

Cyber criminals have adapted to the digital-hybrid world and increased attacks against schools -- attempting to steal personal and financial data with COVID-themed phishing emails. According to the U.S. Inspector General, criminals are using phishing emails offering fake vaccine cards, Medicare products/services, and contact-tracing services.

DoTS is aware of incidents involving staff data being exposed after posting photos of COVID-19 vaccination cards. Never share photos of vaccination cards on social media or any other request you're not sure about. Anything showing your date of birth, health information or other personally identifiable information can be used to steal your identity.

COVID-19 Cyber Scam Reminders 

• Scammers are using calls, texts, social media, and door-to-door visits for COVID-19-related scams.
• Do not respond to or open hyperlinks in text messages about COVID-19 from unknown individuals.

 

Additional Resources about COVID-19 Cyber Scams 

• Office of Inspector General -- COVID-19 Scams

If you are a victim of a scam or attempted fraud involving COVID-19, report it immediately to the DoTS Information Security Team at infosec@dpsk12.org or call 800-HHS-TIPS (800-447-8477). You can also submit a hotline complaint to the U.S. Office of Inspector General here.

According to the Center for Identity, children are 35x more likely than adults to have their identities stolen. Cyber criminals can use this stolen data to open bank accounts, perpetrate identity theft, and commit fraud.  The Department of Technology Services (DoTS) is committed to safeguarding student data from cyber criminals and we need your help.

What You Can Do:

Understand Social Engineering
Monitor for phishing scams and social engineering attacks.  Never reveal personal information via email and if you are unsure about the validity of the email, report it.

Secure Your DPS Account
Never use your DPS email address or username and password for personal online accounts such as social media, subscriptions, newsletters, or online shopping.

Secure Important Information
Access only the data you need - and nothing more.  Store student data using technology approved by DPS.

Everyone at DPS is responsible for protecting student data. Theft of student data could have a severe adverse impact on the future of our students, along with the DPS mission and reputation. 

More About Protecting Student Data

For more information about how to keep student information secure, please see the following resources: 

Learning Space: 

• Information Security - Beyond Passwords

Other Resources: 

• Student Data Privacy on The Commons
• Federal Student Aid and Identity Theft
• Federal Trade Commission of Consumer Advice for Educators