External email tagging to begin April 3, 2019
A review of BGSU cybersecurity incidents for 2018 has indicated that there was a 64 percent decrease in the number of compromised accounts from the previous year. This is not a result of hackers reducing their efforts to send phishing emails to BGSU account holders, but more a result of a series of efforts taken by Information Technology Services (ITS) to educate our users, identify and prevent attacks, and how to improve our response when someone does fall victim.
While the number for 2018 reduced dramatically, there were still too many accounts compromised. In 2019 we will continue to evolve our approach to protecting your accounts. This will include required Two Factor Authentication for all users in Office 365 later in the year. But a more immediate change is coming April 3, 2019 – External tagging of emails that did not originate from a BGSU email account.
Many of the scams and phishing emails perpetrated by hackers lure a victim to click on the link because the user believes they are getting the link from a trusted source. In reality, the hackers create an alias account using a free email system and just change the name to someone you know. The Information Security Team has dealt with many emails that claim to be from Dr. Rodney Rogers, but when you look at actual the email address it originated from a spoofed Gmail.com account. By tagging the email as an external email address, it will become more apparent to the recipient that the email was not likely from Dr. Rogers as he would not use a Gmail account to send an official BGSU related email.
How does it work?
The subject line of an email from anyone not @bgsu.edu will have the following text added to the beginning of the subject:
The tagging of the messages is not meant to insinuate that all emails from outside the BGSU email system are fraudulent. It is just an additional step to help keep our users vigilant as we use technology at BGSU. If you have any questions about this change or anything else related to cybersecurity, please feel free to email us at firstname.lastname@example.org