Ghosts in the Machine: Halloween Cybersecurity Insights

Welcome to Cybersecurity Awareness Month! Your Information Security team would like to share some tips with you to help you stay safe online and ensure the safe use of technology services both at Middlebury and beyond. We’ve observed some “spooky stuff” lately that you should keep in mind as you go about your business.

Be on the lookout for “file sharing” phishing scams 

Phishing messages come in many different formats. We’ve recently seen scam DocuSign, Microsoft OneDrive, and Google Drive file share messages. Bad actors are sending phishing messages from hacked Google, Microsoft, and DocuSign accounts to people at Middlebury. Please do not click on links in any of these types of documents if you’re not expecting to receive communication from the sender of the message. 

Set up secure multi-factor authentication (MFA) methods 

We strongly recommend setting up the Microsoft Authenticator app and using the number matching method. More info on number matching here. 

Alternative verification methods like text messages (SMS) and telephone calls are less secure and may make you vulnerable to “MFA fatigue” attacks (scary), where bad actors repeatedly trigger MFA authentication prompts to wear down your resistance. Be extra careful, please, and only authorize logins that you know you initiated. 

Be on the lookout for fraudulent employment offers 

Fraudulent employment offers for part-time, remote positions are an extremely common and effective phishing method. These scams frequently target students looking for research positions as well as employees. Here is guidance from Middlebury Center for Careers and Internships on spotting fraudulent employment opportunities. All of these tips apply to any kind of job offer – not just student positions! 

Follow password best practice guidance 

• Do not re-use passwords.  
• Do not use simple passwords.  
• CISA recommendations for password hygiene: https://www.cisa.gov/secure-our-world/use-strong-passwords 

Cybersecurity resources

• Send phishing messages to phishing@middlebury.edu.
• Send general cybersecurity inquiries to infosec@middlebury.edu.
• LinkedIn Learning course – Cybersecurity in the Workplace