You may have heard the term “deepfake”. A deepfake is what is produced when someone uses AI to impersonate another person. This can be done via text, audio, or even video.

It doesn’t take much information to create a deepfake of a person. Most individuals who have a social media account post enough information publicly that such a deepfake could be created of them.

Scammers are using these deepfakes for many harmful purposes. Of course, they are also using them to send more and more real seaming messages for phishing purposes.

In one case, someone used a deepfake of a person’s daughter over a phone call in an attempt to trick the individual into paying a ransom.

So, what can we do?

The good news, using AI generated content for phone calls is now illegal in the US. However, that hasn’t stopped robo-calls or illegal scam operations in general. It also doesn’t address email or video.

It is important now, more than ever, to validate the sources of messages. Check-in with people and make sure the message comes from them. If something looks off (or a bit phishy!) it might not actually be from your coworker or your boss. Double check with them if you are concerned.

Staying vigilant about these changing threats will help keep you safe, the students we serve safe, and protect our whole community

First, a malicious person could put input into one of these systems in order to automatically generate spam and phishing emails that are very convincing. This makes them much harder to identify and track. Staying alert to potential threats in emails and messages is more vital than ever.

Then, there is a question of how the data entered will be used. When you enter information into a form online you are sharing that information with a third party. That third party can then share that information with other parties. This is why confidential information should never be entered as input into these AI chat bots unless appropriate approval and authorization is in place. PCC policy and legal regulations prohibit PCC related controlled sensitive information from being shared with third parties without authorization, and that includes the companies behind these AI services.

Finally, the output of these AI services should not be treated as meeting the goals and standards of quality and service that PCC maintains through our values and policies. The values of the college are not necessarily the same as those programmed and trained into these AI bots. So, the output could be offensive, misleading, incorrect, or otherwise not aligned with PCC’s mission.

Popularity of this new “AI” industry is growing rapidly and has already seen adoption from companies such as Microsoft in their Bing search engine. �ҴǴDz����������Ի���Slack have stated they are also working on implementations. As this technology is adopted, PCC will be evaluating it to ensure policy, regulations, and the college’s mission are fulfilled by the use of such technology. Until that process is conducted, we recommend not using these chat AI services for any PCC related work.

Sometimes, these attackers will target specific individuals who are known to have privileged access or highly sensitive information with extremely convincing, complex, and customized scams. These highly-targeted phishing attempts are called Spear Phishing Attacks.

PCC’s Information Security team takes a number of precautions to prevent these types of attacks from reaching your inbox, but technological controls alone are not enough. Having a well informed community who are able to recognize scammers and other malicious parties is the most important preventative measure to stop these attackers in their tracks.

Here are some tips to help protect yourself and the PCC community from phishing attacks:

• Verify the identity of the sender. This is especially important when an email arrives unsolicited, or if the sender appears to be an individual in a position of authority.
• Before clicking a link (including Google Drive share links) or downloading a file, check for red flags such as the website address matching what is expected. You can always contact the other party yourself by using Google or calling them at a known number instead of clicking a potentially risky link.
• Never provide your password or other sensitive data to an unsolicited email.
• .

If you receive a suspicious email, you can use the to mark the message as “Spam” or “Phishing”. Marking an email as phishing within Gmail will immediately create a Service Desk ticket that is routed to our Information Security team. Messages marked as spam also alert our Google Administrator and Information Security team.

Finally, it is worth noting that these malicious parties can be creative with their attacks. Even the most savvy person can be taken advantage of. If phishing didn’t work, then malicious actors wouldn’t use this type of attack. The most important thing is to work immediately with Information Security to stop the attacker before more harm to PCC and you can occur. If you believe that you have been involved in a phishing attack, immediately reach out to the Service Desk.

Phishing attacks are extremely common. According to , 90% of cyber attacks in 2019 were caused by phishing. Keeping an eye out for malicious actors and working together to keep them from attacking PCC helps create a safe and welcoming environment for all.

At PCC, we have whole teams of professionals working to ensure that you get access to systems that are tested, updated, and secured. This way students’ private information, financial information, and other operational information is kept secure. We call this information Controlled Sensitive Data. This data includes all non-public information that PCC is obligated to protect by following regulatory standards and policy. It is everyone’s obligation to help keep Controlled Sensitive Data secure.

Using a personal device to handle Controlled Sensitive Data puts our community at risk. Personal devices, such as personally-owned laptops, tablets, cell phones, and other electronic devices do not have the protections that the IT department has carefully considered and put in place. These considerations are made to comply with legal regulations, and PCC policy, and to protect you and those whose information you’ve been trusted with.

Unauthorized use of personal devices to receive, send, or work on Controlled Sensitive Data may have legal repercussions for PCC as well as you individually. For these reasons and more, PCC’s Acceptable Use Policy (AUP) states:

Faculty and staff shall not perform PCC business on non-authorized personal devices. (PCC AUP, June 2022)

In order to succeed in the college’s mission, we must work together to create a culture that ensures students are protected from cyber threats. If you have any questions or concerns regarding this information or other issues that you would like to discuss with the Information Security team, feel free to reach us at infosec@pcc.edu.

Are you secure? Find out at our Identity Wellness Check Road Tour – visiting CLIMB Center, Sylvania. Willow Creek, Southeast, Rock Creek and Newberg Center.

View the Road Tour schedule

Our team is working with the feds and others on remediation strategies, but for now I just want to heighten awareness. This is an opportunity to remind your staff to be diligent in following existing controls in place for suspicious emails. If suspicious about an email, call the Service Desk and they will walk through what you should do – and create a ticket for the InfoSec team.

Extract: “Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.”