Cybersecurity Bulletin

Following are recent cybersecurity reports from Valley’s Information Security team. For additional cybersecurity advisories, please visit the Information Systems’ Cybersecurity page on the intranet.

Thank you for your commitment to being cyber-aware and for helping Valley maintain and safe and secure IT environment.

Advisory: Multi-Factor Authentication Phishing Attacks

Multi-Factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors before gaining access to the account. For instance: a passphrase and a code sent to your phone/email.

MFA is recommended to be enabled wherever possible, as it adds an extra layer of security for your accounts. Nonetheless, cybercriminals continue to improve their attack methods and strategies.

For instance: Cybercriminals are now attempting to trick you into accepting MFA verifications that you have not requested. If you accept/verify the MFA push notifications, you give cybercriminals access to your account.

Do not let MFA give you a false sense of security. Follow the tips below to stay safe from MFA scams and social engineering:

• Never approve an MFA notification you did not request.
• If you receive an MFA notification you didn’t request, immediately change your password for that account.
• Update the passphrase for other accounts that use the same credentials.
• Use a different passphrase for all accounts, especially for your personal and Valley accounts.

Keep in mind that cybercriminals can hack your account even when you’re protected with MFA. Always use Valley’s HRO tools – STAR (Stop, Think, Act, Review) or Validate and Verify.

Advisory: Malicious Monkeypox Scams

Cybercriminals constantly adjust their phishing campaigns to be as timely and relevant as possible. Now, they are using monkeypox as an opportunity to send phishing emails and trick people into clicking malicious links. Cybercriminals are using fear about monkeypox outbreaks to scare you into sharing sensitive information.

In one scam, cybercriminals send you an email about the latest monkeypox outbreaks and provide a link to mandatory safety awareness training. When you click this link, you’ll be taken to a fake Microsoft login page. If you enter your login credentials, you won't get access to monkeypox safety awareness training. Instead, cybercriminals will get access to your credentials and account.

To stay safe from similar scams, remember the following tips:

• Cybercriminals often use alarming topics to trick you into clicking impulsively. Always think before you click!
• If you receive an unexpected training notification, reach out to a colleague to confirm that the training is legitimate.
• Do not click on suspicious or unsolicited links or attachments unless you have validated it. Before you click a link, hover your mouse over it. Watch out for links that are suspiciously long or show a different domain than the official website.
• Stay alert for phishing emails.
• Never provide your Valley or personal credentials (login or password) to anyone or anywhere.
• Do not click on suspicious or unsolicited links or attachments unless you have validated it.
• Forward suspicious emails as attachments to [email protected]. 
• Report unusual activity to IS Service Desk or the Information Security team.
• Use Valley’s HRO tools – STAR (Stop, Think, Act, Review) or Validate and Verify.