Objectives

This unit is designed to help you achieve

the following objectives:

1. Identify schools in Pennsylvania that have experienced a cyber incident.

2. Recall the importance of identifying phishing emails.

3. Identify the key differences between legitimate and phishing emails.

4. Explain the difference between reporting and deleting phishing emails.

5. Explain the steps of how to report a phishing email.

1. Your district provided device (Windows laptop or Chromebook).

2. How to navigate through this training.

3. How to access your district provided email account.

4. Determine if you prefer the web or desktop version of Microsoft Outlook.

• The web version is accessed through the portal.

• The desktop client is an application accessible from your start menu.

Prior Knowledge

​ To complete this training, you will need to be familiar with the following:

​Desktop Client application access

​web version access

Overview – Goal #1

❑Identify local school districts that have been involved in a cyber incident.

Access prior knowledge

(Answer this question before continuing)

❑Are you familiar with any school districts that have faced a cyber incident?

Review the following terms

The next four slides contain four important terms, read the definitions and examples.

After these slides, you will be asked to categorize content by each of the terms.

“Information that can be used to distinguish or trace an individual’s identity—such as name, social security number, biometric data records—either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).” (Romine, 2022)

Personally Identifiable Information (PII)

Full name, home address, work and personal phone numbers, social security number, health records, academic records, medical records, behavioral records.

Definition

Example

​“A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.” (Nieles et al., 2017)

Phishing Email

Electronic messages that prompt the reader to provide Personally Identifiable Information (PII) in one way or another or attempt to get the reader to download a file containing malware.

Definition

Example

​“Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption.” (A Guide to Ransomware, n.d.)

Ransomware

Altoona Area School District was the victim of a ransomware incident in December of 2021 in which threat actors exfiltrated 150 GB of district data, including student and employee data. (The K12 Cyber Incident Map, n.d.)

Definition

Example

“A data leak is when information is exposed to unauthorized people due to internal errors. This is often caused by poor data security and sanitization, outdated systems, or a lack of employee training. Data leaks could lead to identity theft, data breaches, or ransomware installation.” (What Is a Data Leak?, n.d.)

Data Leak

Perth Amboy Public Schools:

As a result of a phishing incident, an unauthorized party obtained access to a limited number of employee email accounts. (4/15/2020) (The K12 Cyber Incident Map, n.d.)

Definition

Example

Local Cyber Incidents

•The K12 Cyber Incident Map is “Maintained as a service to the K-12 community, the K-12 Cyber Incident Map is an interactive visualization of
cybersecurity-related incidents reported about U.S. K-12 public schools and districts from 2016 through 2022” (The K12 Cyber Incident Map, n.d.)

• This resource can be used to help faculty and staff understand the threat and prepare for cybersecurity incidents.

Local Cyber Incidents

The K12 Cyber Incident Map shows 1,619 cyber incidents between 2016-2022.

Read the following questions before opening the map:
• How many school districts in PA have been the target of cyber-crimes according to this map?

• What is the most common type of cyber-crime in PA according to this map?

You will answer these questions on the next 2 slides.

• Now, click here to open the map

• Click the map key on the left side to filter by incident type.
• Hover your mouse over the pins to see the school district.
• Select the pins to learn more details about the incidents.

Time to Review!

Goal #2

NOW THAT YOU HAVE SEEN SOME EXAMPLES OF CYBER INCIDENTS, LET’S DIVE INTO THE IMPORTANCE OF PHISHING EMAILS.

Phishing Emails - Goal #2

❑Recall the importance of identifying phishing emails.

Access prior knowledge

(Answer this question before continuing)

❑How can learning about phishing emails benefit you?

Video prep

As you watch...

Consider how you could personally be impacted by a ransomware attack.

You will be asked to answer this question after the video.

Time to Review!

Goal #3

NOW THAT YOU HAVE ESTABLISHED THE
IMPORTANCE OF PHISHING EMAILS, LET’S
LOOK AT STRATEGIES TO IDENTIFY THEM.

Identifying Phishing - Goal #3

❑Identify the key differences between legitimate and phishing emails

Access prior knowledge

(Answer this question before continuing)

❑Have you ever opened a suspicious email? If so, why did it look suspicious?

Identifying Phishing

• Review the example phishing email shown to the left.

• Here are the items in an email that may contain the red flags of a phishing attempt:

1. Emotions Triggered

2. Domain of email address

3. "From" field

4. Greeting

5. Caution Banner

6. Attachments

7. Hyperlinks

8. Spelling/Grammar

•The next few slides will show you examples of
the 5 emotions bad actors want to trigger with
their emails:

1. Urgency
2. Fear
3. Greed
4. Curiosity
5. Helpfulness

•Carefully review each definition and example.

•Which one do you think is the most common?

Review of emotions

Urgency

The email is asking
you to do something
immediately to avoid a negative consequence.

Fear

A threatening email that
is meant to scare you into clicking on links or entering your credentials.

Greed

An email that promises
money or gifts.

Curiosity

An email that tells
you that someone
mentioned you
online or has a funny video attached.

Helpfulness

An email that claims to
be sending you helpful
information or links.

Emotions

•Urgency is the most common targeted emotion used in phishing emails.

Now that you know what emotions to look out for, let’s look at an email from top to bottom and review each part to search for red flags.

Identifying Emotions

Ask yourself: Does this
email contain language
that is trying to make me
feel a sense of urgency,
fear, greed, curiosity, or
as though the sender
wants to help me?

image: (Irwin, 2022)

Identifying Emotions

If yes:

•Continue checking for other red flags.
•Go to the company’s website to see if you can verify what the email is claiming.

• If you cannot, report the email as phishing.

image: (Irwin, 2022)

Identifying - "From" field

Ask yourself:

•If you do not know the person,
refer to step A and check
your emotions.

If the email is targeting any of those emotions, report it as phishing.

image: (Phishing, n.d.)

• Do I know this person?

• Was I expecting this email?

• Does the tone of the email or vocabulary used sound like this person?

Identifying - "From" field

•If you know the person but were
not expecting this email, refer to
step A and check your emotions.

• If you think there is a chance this came from them, reach out to them by phone to verify the email.

• If they did not send it, report it as phishing

• If the email does not sound like it could have come from them, immediately report it as phishing.

image:(Phishing, n.d.)

Identifying - Domain

•A legitimate email domain will contain the company’s name without extra letters, symbols, or numbers.

•Domain names work from right to left.

• For example:

JohnDoe@computers.dell.com.
In this example, the domain is dell.

• This is not a full proof method of determining legitimate email addresses as they can be replicated.

Legitimate example:
Derek.Brackbill@donegalsd.org

Phishing example:
Derek.Brackbill@donagel123.net

Identifying - Domain

•If you are unsure, google the domain name with the word “legit” after it to see if anyone else online has reported this as a phish.

• If your research reveals that it could be a phish, report it as phishing.

• If your research reveals that it could be legitimate, refer to step A to check your emotions.

• If the email attempts to trigger these emotions, report the email as phishing.

Legitimate example:
Derek.Brackbill@donegalsd.org

Phishing example:
Derek.Brackbill@donagel123.net

Email accounts provide users with a profile at the top left of each email. Hovering your mouse over the name or picture and it will open the profile of the sender. You can see this in the GIF on the right.

On the next 2 slides, compare the look and profile of the two emails.

How to use the profile to verify the sender

​Email A

​Notice the email and the profile shown on the left.

There are conflicting email addresses shown in the body of the email

Notice that the profile shows the email under "Contact". This email claims to be from someone inside the organization but it's coming from a gmail account.

​Notice the email and the profile shown on the right.

This is a legitimate email from Rachel Bruno.

Notice that the profile shows the correct DSD domain of donegalsd.org and contains more details about your past conversations with this sender.

​Email B

Identifying - Greeting

How does the sender greet you?
Do they call you by name?

• If the email is addressed to a generic name like “user” or
“customer” this might be a red flag.

• Go back to Step A and check your emotions.

• If the email attempts to trigger these emotions, report the email as phishing.

Identifying - Caution Banner

• Look for a yellow or red caution banner. Caution banners are
standard for any emails that
come from outside of the
Donegal School District domain.

• The yellow banner states:“CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you
recognize the sender and know
the content is safe.”

image: (Palarchio, 2016)

Identifying - Caution Banner

• The red banner states: “WARNING": The sender of this email could not be validated and may not match the person in the “From” field.”

• If this banner is attached to an email from someone who claims
to be from inside the organization, report it as phishing.

• If the banner is red, go back to step B (check the from field) and
C (check the domain).

image: (Palarchio, 2016)

Identifying - Attachments

•Look for attachments.

•Ask yourself, was I
expecting this attachment?

• If you were not expecting it, refer to step A and check your emotions.

• If the email attempts to trigger these emotions, report the email as phishing.

Identifying - Attachments

•If you were expecting it, can you preview the attachment?

You can preview an attachment by clicking the down arrow and selecting preview.

• If you can preview the attachment, you can verify its contents before proceeding.

• If the attachment is an unusual file type for example exe, report it as phishing.

• If you cannot preview the attachment, report it as phishing.

image: (Crane, 2020)

Identifying Hyperlinks

• A hyperlink is an electronic link providing direct access from one distinctively marked place in a hypertext document to another in the same or a different document.
Click the example hyperlink to the left - it will take you to the DSD website.

• Notes:

• Hyperlinks can take you anywhere on the internet.

• They are sometimes highlighted in blue and underlined.

Example:

https://www.donegalsd.org/en-US

Identifying Hyperlinks

• Hover your cursor over the hyperlink to see the web address where the link would take you. Refer to step C to check the domain of the web address.

• If the web address looks like a website you do not want to visit, report it as phishing.

• If you are unsure, refer to step A and check your emotions.

• If the email attempts to trigger these emotions, report the email as phishing.

Example:

https://www.donegalsd.org/en-US

Identifying Grammar/Spelling

•Look for grammar or spelling mistakes.

•If the email contains spelling or grammar mistakes, refer to step A and check your emotions.

• If the email attempts to trigger these emotions, report the email as
phishing.

Anatomy of a Phishing EmailI

Review the 7 signs of a
phishing email to the left.

image: (7 Ways to Recognize a Phishing Email, n.d.)

Time to Review!

Goal #4

NOW THAT YOU KNOW HOW TO IDENTIFY A PHISHING EMAIL, YOU WILL LEARN ABOUT THE
IMPORTANCE OF REPORTING.

Deleting vs. Reporting - Goal # 4

❑Explain the difference between reporting and deleting phishing emails

Access prior knowledge

(Answer these question before continuing)

❑Have you ever deleted or reported a phishing email before?

If you typically delete them, why not report them?

Deleting vs. Reporting

Review the key terms and definitions below:

Key Term

Definition

Example

Report Phishing

Following the procedure to mark an email as phishing which formally notifies the IT department.

Delete Phishing

Following the procedure to select an email and then delete it from your inbox.

Deleting vs. Reporting

•When you think you have spotted a phish it is always best
to report it.

• Reporting is preferred because it alerts the DSD IT department about a potential security threat.

• When the IT department is notified, they can take steps to remove the same phish from other email inboxes.

• Microsoft also receives the report, this could prevent people outside of DSD safe from the same bad actor.

• Once you report the email as phishing, the email is removed from your inbox.

•Deleting a phishing email only removes it from your inbox
and does not alert the IT department, leaving others open
to the same attack.

Time to Review!

Goal #5

NOW THAT YOU KNOW WHY IT’S IMPERATIVE TO REPORT PHISHING EMAILS, LETS REVIEW THE STEPS TO COMPLETE THE TASK.

How to Report - Goal #5

❑Explain the steps of how to report a phishing scam.

Access prior knowledge

(Answer these questions before continuing)

❑Do you prefer the web or desktop application version of Microsoft Outlook?

Why do you prefer that version?

How to Report

Review the key terms, definitions and examples below:

Key Term

Definition

Example

Ellipsis

Three dots in the upper right corner of your emails.

Report Fishing in
the web version

A button which can be selected from the ellipsis in an outlook email.

Report Button in the
ribbon, in the
desktop client

Looks like an email with a security warning symbol.

Outlook Desktop
Client

Accessed from the applications installed on a laptop or desktop computer.

Outlook Web

Accessed in a browser, typically from the staff portal or Clever page.

Reporting a Phish

•Determine if you are viewing the suspected phishing email in the desktop client or the web version of Outlook.

�The desktop client is an application accessed from the start menu or task bar of your Windows device.

�The web version is accessed in the browser from your portal or Clever page.

Reporting a Phish in the Desktop Client

Outlook Desktop – How to report a phish:

1.

Select the email.

2.

Locate and click the “Report Phishing” button in the ribbon at the top of your email application.

3.

A pop-up box will open to verify that you want to report the email as a phish. Click the blue “Report” button. The email will be removed from your inbox.

Reporting a Phish in the web

Outlook Web – How to report a phish:

1.

Select the email.

2.

Locate and select Report.

Click Report Phishing.

3.

4.

Click OK. The email will be removed from your inbox.

Time to Review!

Click here to take the posttest