DISA launches Cybersecurity Awareness Campaign

by Karl Smith
Cybersecurity & Analytics Directorate
March 3, 2022 

Earlier this year, the deputy secretary of defense signed a memo directing all Department of Defense components, in coordination with the DOD chief information officer and USCYBERCOM, to initiate cybersecurity campaigns to reinforce user compliance with best practices.

Over the next several weeks, DISA’s Cybersecurity & Analytics Directorate will disseminate refresher training to the workforce, in an effort to minimize cybersecurity incidents and attacks on DOD systems.

Social engineering scams pose serious threats to you personally, the DOD, and other government and corporate organizations. Using a variety of methods such as email, phone calls and text messages, malicious actors try to manipulate you into giving up critical information. Social engineering includes phishing, spear phishing, whaling, smishing, vishing and internet hoaxes. You should take the time to learn how to recognize all forms of social engineering and take the appropriate steps to protect yourself when you are targeted.

Simply, phishing uses email to deceive users. Spear phishing targets a specific individual or group of individuals and is more sophisticated. It’s usually an attempt to obtain information from targeted groups or individuals. Spear phishing may appear to come from someone inside the organization or from someone in a position of authority. Whaling is an email attack that targets high-ranking officials with the goal to gain access to systems or other people with inside information.

If you get a message that asks for personal, financial or system-related information, do not reply or click the link in the message. Just delete the email. Legitimate organizations do not ask for this information via email. If you suspect that you have been phished on your official government email, report it to the DISA Phishing Hotline.

Smishing uses short message service, or SMS, to deceive the recipient. SMS messages are commonly known as text messages. The main goal of smishing is to obtain personal information or to gain access to the device.

If you get a text message from an unknown number and suspect that it is a smishing attempt, do not reply or click the link in the message. Further, only download apps from your device’s official app store.

Vishing uses voice calls to deceive the user into giving up personal information or to persuade the user to install software that provides access to the device or network. The caller usually claims to represent a known entity, such as a bank, a government agency or law enforcement.

If you receive a call from an unknown number, let it go to voicemail. Legitimate callers will leave a message and you can evaluate the message later. If you answer a suspected vishing call, do not interact with automated prompts, such as to press a button or speak a command, just hang up.

In any circumstance, if you are concerned about your accounts, contact the account organization using a telephone number you know to be genuine. If you want to check your account status online, always type the web address for the organization directly into your browser or use your personal bookmarks. Do not use contact information provided since that will most likely direct you to the scammer.

In general, to protect against social engineering, do not participate in telephone surveys, give out personal information, give out computer or network information, or follow instructions from unverified personnel.

Internet hoaxes clog networks, slow down internet and email services, and can be part of a distributed denial of service (DDoS) attack. To protect against internet hoaxes, use online sites to confirm or expose potential hoaxes.

Training

• Phishing and Social Engineering: Virtual Communication Awareness Training v6