Keeping Information Security Simple – “They Keep Raising the Bar”

Letter from the CISO, Vol 3 Issue 5 

Washington University Community: 

It doesn’t seem fair… 

Last month I wrote about how the “right phish at the wrong time can catch anyone.” And this month, despite the fact it is Cybersecurity Awareness Month, we’ve had to deal with a wide range of innovative attacks against us that circumvent our usual defenses. At first, I thought it was just us, but a new report indicates that phishing attacks increased by 173% in the third quarter, and malware threats increased 110%. 

This means that we all need to double down on being vigilant, skeptical, and a little paranoid

Vigilance asks us to pay attention to the risks we face.  

This means reading at least some of the articles in our SECURED! newsletter, as well as the “InfoSec Alert” Special Bulletins we send when there is a particularly acute risk. 

This means talking with your friends and colleagues about what you learn, so everyone can benefit from your knowledge. Also, keep in mind that teaching something is one of the best ways to make sure it is learned well. 

Skeptical means being on the alert to suspicious messages and approaches. For example, over the last few weeks we’ve had a number of people enter their WUSTL Key username and password into a Google Form. Some of these forms were mocked up to look sort of like the usual WUSTL Key login windows, but they were also clearly very different from the usual WUSTL Key login prompts. 

And some didn’t look at all like WUSTL Key logins. 

Paranoid is something I had to ask people to be, but attackers don’t care if you are paranoid or not. “Better safe than sorry” is a good rule of thumb, so worrying a little more than you really need to is advised. 

In many of the phishing attacks this month, the message includes specific instructions on how to help the attackers avoid our defenses. 

For example, in one they asked people to scan a QR code image within the message to reset their passwords. This got around our defenses in multiple ways, most notably the SafeLink feature in our email system. SafeLink automatically assesses links for safety and allows us to block malicious links. Scanning a QR code is unfortunately one of those things we’ve become accustomed to over the past few years, for example, to get menus at restaurants. 

What failed to trigger everyone’s “spidey sense” (paranoia) is that there is no need to give you a QR code in an email or other electronic message. The sender can just give you the URL directly, which we can then make safe for you. 

In other recent attacks, users are asked to send a text message instead of replying via email, or simply sent a text message directly. In all cases, it is probably better to report the message as possible phishing. For email sent to your address, please report suspected phishing messages via the Phish Report Button in Outlook

For suspicious text messages, most cell phones now have a “report abuse” or “report suspicious message” link that makes this easy. Here are guides on how to report text messages: Report a text on Android, Report a text on iPhone or Forward it to 7726 (SPAM)

For suspicious social media messages, there are also ways to report abuse or inappropriate use of the messaging system. 

Better late than never 

If you are worried that you may have already fallen for a phishing message, please contact the Office of Information Security for help at

Last week one of our faculty members responded quickly to an indication that something might be wrong after it had already happened, and we were able to quickly limit the resulting harm and damage. 

Thank you for reading and for being members of the university’s Information Security team! 

Good luck, and be careful out there! 

-Chris Shull, CISO