Before Lansing Community College created the LCC Connect podcast platform, Dr. Robinson was developed the Teachable Moment. In this return to the very first episode, Dr. Robinson talks with LCC Director of Information Security and The Safety Plan host, Paul Schwartz about phishing scams and how to avoid them.

Podcast: The Safety Plan

Website: LCC Computer Information Technologies

Teachable Moment intro: This is Teachable Moment, the show where you get to know the people that make LCC go. I'm Steve Robinson, president of Lansing Community College, and I go one on one with a member of our campus community to learn about a key concept or idea from their area of expertise. It's a show about what makes LCC great. The fantastic people with inspiring ideas who change lives every day in their incredible work.

My guest today is Paul Schwartz from our IT department. Paul, how are you doing?

Great.

Tell me what your specific role is. What's your job title?

I'm the director of Information Security here at Lansing Community College.

A very important and timely role given what's happening in our world with threats to cybersecurity. So how long have you been here?

I've been here six years.

So you've probably seen a lot when it comes to security issues and threats having to do with computer. What's the biggest, you know, the biggest issue that you see happening on a daily basis?

Yeah, we get a lot of threats and they happen daily. And the biggest threat to you as the President and to employees is phishing.

Okay, phishing. And I think that probably is something what we're going to talk about on this episode. So where did you do your training?

How did you get to be into this field?

Yeah, so let's back up 30 years.

30.

And that's when the Air Force offered me a scholarship to pay for college if I would serve four years in the Air Force. And I did that and it was so much fun, I ended up staying.

Okay, great. Well, thanks for your service. So you served in the Air Force? Tell me a little bit about your time in the Air Force.

So I did a lot of boring jobs, but I did a lot of exciting jobs. And some of those were I worked on the B2 stealth bomber doing software evaluation. I was the head of Air Force ROTC at the University of Minnesota.

And I did an exchange assignment into the British military to a unit that protected the entire military. It's just 300,000 people of security threats. And so, yeah, it was a blast.

And that 20 years I stayed in and it culminated in me earning the rank of Lieutenant Colonel and then being in charge of an 85 person IT department at Dyess Air Force Base down in Texas. And traveling the world and living overseas. I lived in downtown London. I lived in Frankfurt, Germany. I deployed to Afghanistan.

I met my wife, we had two kids. I traveled the world. It was just great.

That's phenomenal. So the exchange in the UK was.

That with RAF or Yeah, it was. Well, their version of the Pentagon, which is called Whitehall. It's in downtown London.

That's where I worked and I oversaw all branches of the military. Any cybersecurity threats and incidents. We did incident response and tried to protect their entire military branch.

That's incredible. So when were you in London?

Okay. I really want to get back to London.

I did one semester of college in London a long time ago in the 80s, and I know that city's changed a ton since I've been there. I lived right in Regent's Park.

Okay. I lived in. Over by the Chelsea Football Club Stadium in Fulton Broadway. It's on the Circle Line and District Line.

But what was also great about living there was my unit ended up moving out to Bath, England, which is about an hour and a half west of England.

It's a very famous resort town.

It is. I had a great experience there living in the country, and then we had the great experience living in downtown London. So it was a great opportunity.

What a cool story. Well, again, thanks for your service in the Air Force.

And it sounds like you learned a lot in the military that you're actually able to put into practice here at LCC. So that's really cool.

Yeah, we're protecting national top secret information in the military. And at LCC, we have some what we consider top secret information. Also.

That's student information, our Social Security numbers, their bank accounts, the credit card numbers. So we actually have a good amount of information we need to protect at LCC also.

Yeah. And a data breach in a public higher ed institution can be a big deal. I mean, you probably remember what happened a few years ago at Michigan State.

I remember as an alum, I got a lot of letters about the data breach there. So we thank you for working to make sure that stuff like that doesn't happen. I appreciate it.

One of my main roles is keeping your picture off the front page of the Lansing State Journal.

I appreciate that very, very much. Well, look, the show is called Teachable Moment, and you're here not just so we can have this great conversation and visit, which is super fun.

But you're gonna teach me something today. So why don't you tell me what is your teachable moment? What am I gonna learn today?

So today you're gon how to identify a Phish email. Okay.

And I think I know when you say Phish, we're not talking fish, we're talking. How do you spell this? Phish.

E, H, I, S. Okay.

Very Good. So tell me about it. How do I do that?

Okay, so phishing, in a broad sense, is a technique that uses malicious emails, phone calls, texts, and social media posts that are disguised as trustworthy or legitimate, but they're not. They're fake.

What they're trying to do is they're trying to fool you into capturing your sensitive information, like your Social Security number, your credit card number, your bank account info, something the criminals can monetize.

Okay.

They're also trying to get you to open up a link or an attachment to infect your computer with malware so they can get a foothold into the network and then capture your info or spread more malware. And finally, they're trying to get you to do something nefarious like, hey, I'm stuck in a meeting. Can you go buy me some gift cards?

Oh, this has happened to me. This has happened to me. So, yeah, keep going. I want to learn more.

Now, here's some classic Phish examples. The IRS emailing you saying you owe them money or your refund is being held up.

Okay.

Another one is Microsoft contacting you that their help desk sees that you have malware on your computer. And finally, like Netflix, Apple, or PayPal emailing you to verify your account. All these situations, they're all fake. These companies don't do this.

These are all criminals trying to. Trying to fool you.

Well, interesting. I want to learn more. First, I will have to give you some feedback on being a good teacher. You started with a definition. That's a great thing.

So if you're listening at home, that definition of what a phishing attack is, is a really important part of your lesson here.

So I'm guessing now you're going to go a little deeper and tell me, you know, how I can spot these things, because everything you said sounds bad, and of course, I would never do that. But these folks can be pretty creative and inventive, right? And they get people like me to bite on these. Phishing. What can I do? Yeah.

So LCC receives 10 million emails each month, but only about 300,000 of those are legitimate. So 99% of our emails, roughly, are not. They're spam. They're phish. They're malware emails.

And what LCC has done is we have a sophisticated email filter that uses artificial intelligence that looks at all the factors of the email, such as the sender and their reputation and the content and the links and so forth, and it filters out those to only provide the users legitimate emails. But some of those fake emails, they do get through the system before it can catch up and recognize through its systems that it's a fake email.

So let me make sure I understand. Did I hear you right? 10 Million emails?

10 Million emails.

We average on what time period?

Just for employees? In one month.

No way. And so of those you said about 300,000 have some kind of malicious.

300,000 Are the legitimate ones.

Oh, the legitimate one.

And the rest of 9.7 of them are fake. Malicious spam, you know, not good emails.

That seems like the odds are against us. Right? Just a small portion of those 10 million emails are legit communications. And the rest of it is some kind of mess or attempt to trick us.

Exactly. And they're targeting you as the president for four reasons. The first is your information, such as your name, your position, your.

And your contact info. It's readily available on the Internet. You're pretty famous.

Well, conspicuous is what I would say. I don't know if I'm famous.

The second is your influence. You are considered the quarterback of LCC. You're at the top of the chain of command.

A military term or the supervisory ladder sending you a fish and compromising you. Criminals know that you have a lot of influence on others. The third reason. You're very busy. I assume you're very busy.

Well, it's why I was late today, Paul, and I apologize.

You're probably under pressure. You're jugg time, critical tasks. And you're probably suffering from what psychologists call an attentional bias.

And this may cause you to underestimate the threat of phishing. And the fourth reason is your level of access. You're probably the approval authority of, say, wire transfers.

And you probably have access to a lot of confidential information. So these are the four reasons that phishers are going to target you.

Interesting. And when you come back to that whole gift card thing, which if we talk about that, unfortunately, I lived through that a little bit.

The other thing I would imagine is that people who get a communication from me are more likely to jump without thinking when the president asks them to do something. Right?

Yep. Yep. We're going to jump. How high? We're not going to question whether to jump.

Well, on these things. If you're listening and you work at LCC, I would never ask you to go anywhere and buy anything on short notice.

We have very specific checks and balances for that. So if you ever get an email from me asking you to buy gift cards, it's not real.

Okay, so let's talk about phishing.

Yeah, let's do it first.

It's okay to open and read emails, but once you open the attachment or the link, or you enable the macro in that attachment, or you enable editing or the content, or you download the pictures or display the images, or let's say you enter a password that's in the same email as the attachment, or if you provide your credentials to a website, any of these things are bad and could compromise your computer or give up your credentials.

So let me make sure I understand one of these malicious emails. I can't do anything bad by just opening it up.

Just click on it, open it up, that's okay.

But I should stop there, right?

Yeah. Okay. And what you're doing when you stop right there, you're taking the time to identify the fish red flags.

And these are going to determine whether the email is legitimate.

And the number one reason by far that I get from people that have been phished, they said I was in a rush, I didn't take the time to look at the email. Okay, so what I'm going to do is give you the seven phish red flags.

I love it. Seven things I'm seeing if I can remember them.

Here we go.

Number one, what you need to do is match the display name, which is in the from field of the email, with the sender's email address and the sender's signature block. And you're going to look for consistency there.

Often someone will put a fake LCC in the display name, but the email is like to some free Gmail or Hotmail account. LCC emails only come from LCCedu.

Okay. So making sure that the name matches the actual address.

Yep.

Okay.

And you're going to be suspicious if they don't have any contact information in the email or a signature block. And this is kind of tough to do on a phone. This technique because it won't display the entire display name or the email address.

Criminals have figured out if they make a super long email address, it won't display right on a phone and you won't be able to tell who it's from.

Interesting.

All right. And you could also compare the email to previous emails sent from the same sender to see if that email is consistent.

Okay.

And here's the surprise. This can all be spoofed. Criminals can put whatever they want in that display name. They can put whatever they want in that email address.

They can put whatever they want in that signature block. So you gotta take this with a grain of salt.

Okay.

All right, here's the second phish red flag. You need to look at the link or attachment. These are often in Phish emails.

Once you open this linker attachment, it could lead to a malware infection. So with links, you need to hover over the link. And what this does is a little box will show the true website address.

And does it look familiar and are you able to identify the root domain of that to go where you want the website to go to? So criminals can change just one small thing and it's not going to go to the same website you're expecting.

Got it. Okay.

Now with attachments, you're going to want to scan those at a website like virustotal.com or hybridanalysis.com and what these websites do, they use 60 different antivirus products to review the website or the attachment and tell you whether. Whether it's safe to open.

Okay.

All right, the third one.

Yes.

Third fish, red flag. We're going to look for the language, the grammar, the locals, and the formatting of the email.

Now these might sound off like it's not coming from a native English speaker. Or how about this?

Professional organizations like Walmart and Netflix and Apple, they won't ask you for your login info or your credit card number, your Social Security number and emails. And they have very professional looking emails with logos and formattings. And again, all these can be spoofed.

We've received emails at LCC that have been exact replicas of our emails, our email quarantine notification emails, the same colors, the same blocks. Okay, all right, here we go. The fourth fish, red flag. The sender doesn't seem to know you.

And so is the email addressed to Dr. Steve Robinson or does it say Dear customer? And so this is a spray and pray type of technique that criminals use.

They're just hoping somebody's so busy or not paying enough attention that they might get lucky.

Exactly. All right, we're going to go on to the fish. Red flag number five.

Number five.

The content is bizarre, unbelievable, or too good to be true.

You say that like it doesn't apply to some of our regular emails. No, I'm kidding. I'm teasing. I'm teasing. Okay, so it's really out there or too good to be true. Like you won something large?

Financial rewards for little investment, a prize, award confirmations? You also have to look at in context.

As a president, do you deal with resumes and invoices and documents that don't have anything to do with your position? Why are you receiving this email? That's just.

I got one like that on Instagram or Somebody who. It was the real name of somebody who won the lottery. And he was like, hey, I'm being nice and I'm going to give you. Are you ready for your winnings?

I'm going to give you my winnings. And your colleagues across the country have taught me, yeah, this guy who won the lottery doesn't want to give me any money. Block, block.

Perfect. All right, fish, red flag, number six. Number six, urgency wording. Criminals want you to act quickly without thinking. Okay?

So you're going to have claims that you're going to get an arrest warrant or have a virus infection or your account's been hacked, or you'll pay a fine or lost access, or you'll lose some critical benefit like your insurance policy is expiring or a limited discount on something. Deal. What they're trying to get you is to act without thinking.

And you might even see a image, like a Click here now button with an embedded link behind it that'll send you off to a bad website.

So what I hear you saying there with urgency is they're trying to short circuit all the previous red flags that you meant. So, like, you have to act now if you're going to get this big. And that's something that I've tried to discipline myself online and in life.

If somebody says, you know, we need this done in two weeks, and then say, okay, well, if that's the time frame, fine, but I'm not going to skimp on the, you know, the background research. We'd have to. We have to make sure that this is real. So cool. So that's number six.

Number seven, Fish, red flag. Were you expecting the email? If not, then be suspicious. Treat all emails as if they are malicious. So.

But what we've also seen recently is that the criminals are now compromising a person's account and then replying to all the emails in the inbox. Now, when you receive those, you're like, yeah, I was expecting an email from President Robinson. Him and I were just talking.

And so you've let down your guard and, oh, it says, I need to review a document. I better open that link. But you need to check the address. You need to look for all the red flags, even with someone you know.

This also reminds me of a tip I missed earlier, and that is when you look at a link, it might be a shortened link.

Okay, Like a tiny URL, Right? Yeah.

Twitter, there's the T Co, but there's also Bit Ly and Owley and all the others. There are URL lengthener Websites like checkshort. Com, or you can lengthen those and look at the true address of where those are going.

Oh, that's. I didn't know about that. So if I get like, I often use tinyurl and I don't know if they earn any money. I hope not. It's the first one I learned about.

So if I've got a super long URL, I'll put it into tinyurl to make it small. But what you're saying is there's a site where someone can take that and. And find out what it really is before they click on it. What is that again?

That is a check. You are. I'm sorry, check ShortURL.com.

Check ShortURL.com. You just gave me a new tool. I'm gonna use that.

Yeah, if you Google URL Lengthener, there'll be 1,000 sites, but that's the one I recommend.

All right, good.

And so what criminals are still trying to do is they're trying to fool you. They don't want you to know where that link is going. And it's probably going to a website that has malware or asks you for credentials.

And one thing users need to realize is that just by going to the website is all you need to do. There's no button you need to hit that says install malware or execute or I approve or anything.

Just by going to some of these bad websites, it automatically downloads malware on your machine and you don't even know it.

So, first of all, those are seven amazing tips, and thank you for them. I've got a couple of questions. Let me tell you something I do now that I think is informed by your strategy.

Like anyone in digital life, I have all kinds of subscriptions and accounts with just about everything.

When I get an email telling me to do something from my bank or my credit card or, you know, a service like Netflix or something, what I've tried to do is I actually leave my email client, go to the website and start fresh. I mean, if.

If FedEx wants me to look at my account, I'll go and I'll go fedex.com and I'll log in separately so that that email and what I'm doing doesn't touch. Is that good?

That is perfect. That's actually a step here in how to respond to these Phish emails. Now, let me give you all the steps.

Okay?

The first one is call the sender, ask them if the email is legitimate.

Okay.

You can also report the Phish to the LCC. Help Desk and my team will review it and give you back a legitimacy rating.

So we can do that. If we get one of these and it seems suspicious, we should forward it to you and say, is this real?

That is right. And we respond really quickly and we'll let you know whether it's safe or not.

Okay, so for the LCC folks listening, what's the email address?

We sent it to the help desk, which is LCC1CC.

EDU LCC1. That's the help. Okay, great.

Now, if you receive a Phish email in your personal account, it has nothing to do with work. You can also report it as Phish and in Gmail and also in Outlook. You'll see the buttons at the top.

And then remember, don't give your Social Security number or credit card number or personal info to anyone that is initiating the communication with you, such as calling you or emailing you. You don't know if they are legit or not. So I always recommend that you initiate the conversation.

You initiate the communication, such like you said you went to your browser, you went to your bookmark, or you googled the walmart.com went to the site that way.

Now, if you've fallen for a Phish email and offered up your credentials or infected your machine, what I need you to do is change your password immediately, conduct an antivirus scan, and then report that incident into the help desk.

Okay, so once if we do. Because it's inevitable, right? Even smart people who are critical thinkers will fall for these every once in a while.

My head is still spinning about the numbers he gave me about our monthly emails. 10 Million, but only 300,000 are legit. Yeah. That's incredible to me. Well, what else can we do? I would love for you to.

You've got a platform to tell all kinds of users how to be safe. What else would you tell our listeners?

So with phishing, you've received the seven golden red flag rules. They're good. You are now licensed to open up.

Your email and to read my anti phishing license.

You are trained as a phish identifier. So beyond that, what I need users to do is remember that email is not encrypted.

So it's the equivalent of writing information on a postcard and mailing it. So when you go to send emails, keep all your credit card numbers and all your Social Security numbers out of those.

That's a good analog. So what I hear you saying is an email is just like a postcard where anybody who is delivering it from one place to another can read it. Right.

And if I remember from the early days of the Internet, does email still work like this? It just gets copied, copied, copied over and over from point to point. Right?

Yeah, sure. It's passed along several nodes in its path.

And if each one of those has a nefarious person with a sniffer, they can read any of the email traffic, anything you say in there, and they can capture that and use it against you.

Well, I appreciate that. So while you were talking, Paul, one thought I had, and I wonder if you agree with me.

All of those seven steps, they just reminded me of critical thinking, you know, not just online, but, you know, with everything.

You could almost take all seven of those steps and apply it to what you see on the TV news or what somebody tells you in a conversation that don't accept what you hear automatically. It's true. Put it through kind of an algorithm of fact checking.

That's exactly true. Right. It would help you from falling for fake scams, all types of criminal activities.

Well, this has been fantastic and I really want to thank you for being the first guest on Teachable Moment. I feel like I learned something. I certainly have some data I can share. If this comes up again, I'm going to remember those numbers.

10 Million emails and only 300,000 are legit. And that means that the tools that we're using to skim off the bad ones must work pretty well.

Yeah. The email filter that we belong to uses threat intelligence from 120,000 different organizations.

We're all tied together and we're all talking to each other and we're telling each other, hey, this sender is now sending fake emails, so it tries to block it for anyone else in the network.

Wow. Well, I know your job used to be keeping the free world safe, but thank you for keeping LCC safe from cyber threats and phishing emails.

Paul, it's been great talking to you. Thanks for being on Teachable Moment.

Thanks a lot.

Teachable Moment Outro: Teachable Moment is recorded and engineered by Steve Robinson in the Michigan Room at LCC's downtown campus and produced virtually by Brock Elsesser in the Digital Media, Audio and Cinema program at Lansing Community College. The soundtrack is licensed through DeWolfe Music. Want more Teachable Moment? Be sure to tune in to future episodes and if you have an idea you'd like to discuss with me on the show, send me an email at steve.robinson@lcc.edu. Until next time, keep learning. This has been LCC DMACC: Lansing Community College Digital Media, Audio and Cinema.