News

Mobile operators have renewed their warnings to customers about the threat of smishing, a social engineering approach that relies upon texts as opposed to other communication channels like the email used in phishing. The smishing problem may be smaller than the phishing problem, or the robocall nuisance, but it represents a comparable threat that organizations should address in their risk management process. 

SMS texts can have an immediacy that exceeds that found in other communications. They tend to be quick, terse, and largely devoid of context. Fear of losing access to an account, concern to help someone who appears to be in trouble, all of these are easily prompted by texts and they can induce recipients to suspend, temporarily, their critical faculties. 

Follow the tips below to help you identify a Smish: 

• “The message has no relevance to you. The message is completely random, unprompted and has no connection to you or any activity you’ve undertaken. The spam text message will say you’ve won a contest, a prize or free money. An increasingly popular text scam is one which says there’s a delivery issue with a package.” 

• “The message is urgent or needs immediate action from you. The message is urging you to act now. These types of fake text messages could pretend to be your bank or a government agency.” 

• “The text message contains misspellings or poor grammar. Spam text messages can be identified by poor grammar, misspelled words and awkward use of language. Real text messages from legitimate businesses will use proper grammar, punctuation and spelling.” 

• “The text message is coming from a strange phone number or suspicious email address. If a text message is coming from a lengthy and/or suspicious looking email address it is a spam text message.” 

• “The text message contains a suspicious link. This is a huge warning sign. If the text message contains a suspicious looking link, it is a text scam. Do not click on the link or follow prompts from these fake text messages.” 

As part of our Technology Tips series, we will be exploring many cybersecurity threats and tactics in effort to strengthen our security awareness. Please continue to check The Hub to learn more about new technology solutions can help you work efficiently, and how to stay safe online.  

Phishing still remains the biggest threat to organizations like ours. Phishing comes in many different forms and with new tools at hacker’s disposal, it can be difficult to determine what is a phish and what is not. 

Here is a real phishing email that was delivered to one of our Staff. Let’s break it down to show you what you should be looking for to help identify this as a phish: 

1. Sender Address. The Sender address is coming from IT Support with a strange email address. This is the biggest indicator since this is not an email address we have seen before. The MacArthur Foundation official support email is: Global Service Desk globalservicedesk@macfound.org; you will never receive official support emails from an external source. It is important to know our official IT support communication channels. 

2. Sense of Urgency. The body has a sense of urgency stating you must take action today. Hackers know they have limited time and need you to act fast. They will push you to perform an action, click a link, or reply immediately. One of the best things you can do to avoid a phish is to simply wait. Waiting 48 hours usually is long enough for our internal security tools to gather enough information to proactively block a phishing threat. 

3. Unfamiliar Actions. The MacArthur Foundation requires passwords to expire after 1 year. We will never send an email asking you to confirm your password.  When your password is set to expire, the reminder to update your password will come directly from the Global Service Desk. If you see this request come from anyone other than the Global Service Desk, it may be a phish. 

4. Suspicious Links. Tech Tip: You can hover your mouse over a link to see the full URL address. When you hover your mouse over a link, you will see "safelinks.protection.outlook.com" (this part prepends all MacArthur URLs) followed by the full URL. Notice that while the email body suggests this is a Microsoft or a MacArthur-related password, the full URL does not mention either and looks very unusual. 

The MacArthur Foundation blocks over 500 phishing emails every day. On occasion, some may slip through and become delivered to your inbox. If you identify a phish, or if you suspect an email may be suspicious, report it using the Phish Alert Report button in Outlook. This will help us take proactive action to block future phishing attempts.  

A very special thanks to many of the MacArthur Foundation staff who were able to identify this very REAL phishing email and report it using the Phish Alert Report button! Because of these Security All-Stars, we are able to proactively block these threats before they become a security threat. 

Do not forget the mandatory Cybersecurity Training on SMS text messages and Phishing is due by June 30th. To complete the courses, please log into Workday through Okta and click the “Learning” icon. You can also access this by clicking here, and then “Start Course.” 

If you have any questions or concerns, please feel free to contact me directly.

IT will be providing helpful tips to ensure our colleagues are utilizing features offered by supported Foundation applications and commonly used technologies. Please continue to check The Hub to learn more about how technology solutions can help you work efficiently. 

To kick off our Technology Tips series, we would like to share an easy way for you to exchange contact information with your colleagues using LinkedIn QR codes on your mobile device. 

Important: Make sure you’ve downloaded the most current version of the LinkedIn mobile app. 

For IOS devices: 

1. Open the LinkedIn app on your mobile device. 

2. Tap the QR code in the Search bar at the top of your LinkedIn homepage. 

 3. Tap the My code tab to find your QR code or Scan to scan another         person’s QR code. 

4. You can tap: 

•  Share my code to share your QR code via message, email or other third-party apps. 

•  Save to photos to save a copy of your QR code to your mobile device’s photo gallery. 

For Android Devices: 

1. Open the LinkedIn app on your mobile device. 

2. Tap the QR code in the Search bar at the top of your LinkedIn homepage. 

3. Tap the MY CODE tab to find your QR code or Scan to scan another person’s QR code. 

4. You can tap SAVE TO GALLERY to save a copy of your QR code to your mobile device’s photo gallery. 

• Note: The option to share your QR code via message, email or other third-party apps is coming soon on Android mobile devices. 

Once the LinkedIn member’s QR code has been scanned, you will be redirected to their LinkedIn profile.  

On April 7th, any partners external to the Foundation who are collaborating with Staff using tools such as Microsoft Teams, OneDrive or SharePoint will be required to enable multi-factor authentication (MFA).  This change will help provide additional security for documents and data that are being shared. 

The first time an external partner logs into a Microsoft collaboration tool after April 7,  they will receive instructions to help them enable MFA. They will be required to use an authenticator app such as Okta Verify, Microsoft Authenticator, or Google Authenticator when logging in. This setup process is simple and should only take a few minutes to complete. 

If external partners require assistance setting up MFA, they can reach out to the Global Service Desk by email at globalservicedesk@macfound.org or by phone at 312-516-1647.