Skip to content

Tip of the Week

Phishing

This week’s tip is a phishing quiz. Google had put together a quiz where you have to know (guess) if an email is a phish or real. It will ask you to make up a name and email address. Use fake information. It is only wanting to show how phishers can personalize fake emails. The quiz can be found at  https://phishingquiz.withgoogle.com/.

Some of them are real. You have to know your stuff! (05/17/19)


Pirated Software

This week’s tip is about the dangers of pirated software. You may think you are getting “a great deal” by buying non-licensed software, but there are hidden costs.

Many pirated copies of software contain malware that can infect your computer.

What you purchased may not even work. Most software companies have implemented a way of checking the registration.

This type of software also does not receive security updates, leaving your computer vulnerable to exploitation.

And then there is legal issues. Legally, you are basically denying the developer their legal compensation for the use of their software. Computer piracy is illegal. There are stiff penalties for breaking the law.

Be smart – only use licensed software to conduct UTHSC or your personal business. (05/10/19)


Bluetooth

This week’s tip is a recommendation to turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (05/03/19)


Email Attachments

This week’s tip is a reminder to use caution when opening email attachments.

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/26/19)


Notre Dame Email Scams

This week’s tip comes a couple of days early, as we have been advised by multiple security organizations and agencies about scams around the Notre Dame Cathedral burning. Usually the scammers come out when a national or international event has taken place. If you wish do donate to this or any cause, make sure your donation is going to a reputable agency or organization.

Bad guys are exploiting the recent fire at the Notre Dame Cathedral in Paris. There are fake Facebook pages, tweets are going out with misinformation and fake charity websites are soon to follow. Bad guys are going to try to shock you and manipulate you into doing something in their interest. 

Don’t fall for any scams, and do not click on any links in emails, texts or social media. Whatever you see in the coming weeks about Notre Dame… THINK BEFORE YOU CLICK. (04/18/19)


Encrypting Mobile Devices

This week’s tip is about encrypting mobile devices. Data that is not encrypted on a mobile device could be easily accessed if the device is lost or stolen. If you need to keep sensitive data on your mobile device and have authorization to do so, password protect the device and consider encrypting the data.

Full device encryption for Android devices / Apple devices. (04/12/19)


Beware of Phone Scams

This week’s tip is a reminder that not all sneaky, phishing attacks come through email. More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It’s most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you. (04/05/19)


Clues You've Been Hacked

This week, instead of a tip, we have clues to recognize if you have been hacked. Staying vigilant about your information and your privacy settings is the best way of keeping you safe.

Some of the most common indicators that you may have been include the following: Your friends tell you that they have received odd emails or messages from you, messages you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. You receive a pop-up message informing you that the files on your computer have been encrypted and you must pay a ransom to recover them. (03/29/19)


Facebook and Your Password

With the announcement this week that Facebook stored millions of user’s passwords in plain text (not encrypted, easily read), this week’s tip is about passwords and social media. Enabling two-factor authentication on any account you have helps protect your information, even with social media. Also — change your Facebook password and update your privacy settings.

You can Google “Facebook Passwords” and get many articles about the recent disclosure. Here is one: https://www.wired.com/story/facebook-passwords-plaintext-change-yours/

Basic Facebook privacy settings can be found here: https://www.facebook.com/help/325807937506242 (03/22/19)


Two-Factor Authentication (2FA)

No one calls signing in with a password “single-factor authentication”, but that is what it is. You use only one way of proving you are who you say you are for whatever system you are logging into, whether your O365 account at UTHSC, or Facebook, or your bank.

A more secure way of logging in is two-factor authentication.  This means that you use two differentmethods to prove who you are.

When using 2FA, you have to use two out of three methods to prove yourself:

  • Something you know (password)
  • Something you have (smart phone)
  • Something you are (biometric scan, i.e. fingerprint)

Actually, 2FA is already on campus. If you’ve ever been a member of the fitness center (located in the SAC) you use 2FA. To get in, you have to type out your employee or student number (something you know), then place your right hand on a scanner (something you are). Both are needed to gain access.

2FA is a security measure.  With 2FA, even if someone steals or guesses your password, without your smart phone verifying you are who you say you are, they can’t get into your account. When you log into an application that requires 2FA, a notification will appear on your phone asking your to either accept or deny access.

More communication on how we are going to implement this new feature will be coming. We hope everyone will use their smart phone as a verification source, but if you do not have a smart phone, we will have another way for you to use 2FA. (03/15/19)


Review Your Statements!

This week’s tip is a reminder to review your bank, credit card and any financial statements regularly to check for unauthorized activity. Also, if your bank or financial institution’s online banking does not offer/require two-factor authentication to log into your account, FIND ANOTHER BANK. 2FA is much more secure than just a password or PIN. (03/08/19)


Clues You've Been Hacked

This week’s tip is about some clues you should watch for to see if you’ve been hacked. Your friends tell you that they have received odd emails or messages from you, that you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. Stay vigilant! (03/01/19)


Social Media and Privacy

This week’s tip is a reminder about social media and privacy. Facebook, and other social media outlets, have been in the news because of investigations on how private they keep your data. Be mindful of your privacy settings on these applications. Make them as private as possible.
Also be aware of what you post, the site’s Terms and Conditions, and make a strong passphrase.
Awareness is the key! (02/22/19)


Mobile Device Data

This week’s tip is a reminder to back up your key data on mobile devices on a regular basis. Just as you must back up the data on your desktop or laptop computer in case of hard drive failure, loss, or theft, it’s equally important to back up the crucial data that you store on your mobile device. Otherwise, this data could be lost forever if your mobile device is lost, stolen, or suffers a hardware failure. Both Android and Apple have automatic backup options. (02/15/19)


Passphrase

This week’s tip is about passwords. The best password is a passphrase. Use as many characters as possible in your password. The longer it is, the harder it is for a hacker to guess. Make sure it is something you can remember though. Keep in mind that a good password is easy to remember, but hard to guess. (02/07/19)


Email Attachments

This week’s tip is a reminder to be cautious when opening email attachments. Cyber criminals will hack into people’s computers by sending emails with infected attachments. People are tricked into opening these attachments since they appear to come from someone they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.  (02/01/19)


Helpful Tools

This week’s tip is some helpful tools you can use to know some things about your online presence.

First, search yourself online. See what information is publicly available about you and your family.  This is as easy as using Google, Yahoo, Bing or any other search engine.  Type out your official given name, and any variations of your name (nicknames) that you are called. Check children’s, elderly parent’s or other family members that may not know how to search.

Second, test your passwords to see how strong they really are. You can Google “Password tester” or try this website, https://howsecureismypassword.net/. Here, you can type out any password or passphrase you use and see how quickly a bad guy could guess it.

Third, check your email addresses to see if they have been part of any data breaches. The website https://haveibeenpwned.com/ allows you to check any email address to see if that account as been compromised in a data breach. If so, it tells you in what breach they found that email address.

If, when researching, you find your email address is part of a breach that has happened since you last password reset, CHANGE YOUR PASSWORD on that account.

Any questions about using these tools, contact the Information Security Team at itsecurity@uthsc.edu.

Stay safe! (01/25/19)


Tax Season

With the W2s available, it is the official start of the tax season. Be aware that every year, there are those who want to scam you out of your return, pretend to be the IRS demanding back taxes, or steal your identity with your tax documents. Remember your Information Security Training about social engineering and phishing. Read more for a more detailed explanation and helpful resources.

It’s Tax season – Don’t be a victim!

ts tax season and soon, the W-2’s and associated forms will start circulating, which means we must be aware of tax scams. In past years, there have been three popular scams criminals have used that people fall victim too. The three scams include falsifying tax returns and filing them in a victim’s name, calling a victim and pretending to be Internal Revenue Service (IRS) agents and phishing e-mails.

Falsifying tax returns and filing them in a victim’s name can occur when a malicious actor finds or receives information about the tax filer, including the filer’s name, address, date of birth and Social Security number. The malicious actor then uses this information to file a malicious tax return, citing as many deductions as possible, in order to create the largest tax return possible.

Another scam occurs when the malicious actor contacts the victim and tries to convince the victim to do something, such as immediately paying a fine or providing their financial information so a refund can be issued. In these instances, the malicious actor uses what they know about the victim, often information gained for a data breach or social networking website, to convince the victim that the caller has access to the victim’s tax information. Frequently during these calls, the caller will pretend to be an IRS agent.

In the third type of tax scam, malicious actors use tax-related spam, phishing emails, and fraudulent websites to trick victims into providing login names, passwords, or additional information, which can be used in further fraud. Other emails or websites may also download malware to a person’s computer that may make them vulnerable to tax fraud.

Be Cautious

  • Watch for “spoofed” websites that look like the official website but are not.
  • Don’t be fooled by unsolicited calls. The IRS will never call to demand immediate payment or require you to use a specific payment method such as pre-loaded debit or credit cards, or wire transfers. They will never claim anything is “urgent” or due immediately, nor will they request payment over the phone. If you owe taxes, the IRS will first mail you a bill, before contacting you through another medium.
  • The IRS will not be hostile, insulting, or threatening, nor will they threaten to involve law enforcement in order to have you arrested or deported.
  • Sometimes malicious actors change their Caller ID to say they are the IRS. If you’re not sure, ask for the agent’s name, hang up, and call the IRS (or your state tax agency) back using a phone number from their official website.

Recommendations

If you believe you are the victim of identity theft or identity fraud, there are a couple of steps you should take:

  1. File a report with your local law enforcement agency.
  2. File a report with the Federal Trade Commission (FTC) at identitytheft.gov.
  3. File a report with the three major credit bureaus and request a “fraud alert” for your account (Equifax – equifax.com, Experian – www.experian.com, TransUnion –www.transunion.com)

If you receive spam or a phishing email about your taxes, do not click on the links or open any attachments, instead, forward the email to phishing@irs.gov. Other tax scams or frauds can be reported according to the directions on this IRS Suspected Tax Fraud web page.

This week’s tip comes from our friends in Knoxville, from the OIT’s IT Weekly Newsletter. (01/18/19)


Be Suspicious!

This week’s tip is a reminder to be suspicious of people you don’t know who ask for sensitive information. “Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers. Don’t fall for it!

Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information.  (01/14/19)


Securing New Devices

Three weeks ago, the tip of the week was about securing mobile devices when traveling during the holidays. But what if you got a NEW device as a gift? Did you get a new smart TV, phone, watch or toy? Do you know how to make a device more secure when you set it up? Here are some helpful tips hopefully you already have put in place, but if not...do so!

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

Brought to you by US-CERT (United States Computer Emergency Readiness Team),  (01/04/19)


Online Shopping

This week’s tip will be the last one for this year. While hopefully you have completed your holiday shopping, this tip is a suggestion for shopping online.
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

Have a wonderful and safe holiday break. Remember to keep your information secure, not matter what form it takes.  (12/21/18)


Holiday Travel

This week’s tip is about securing your mobile devices during holiday travel. It comes from the United States Computer Emergency Readiness Team (US-CERT). There are a number of tips and explanations if you read more.

Know the risks

Your smartphone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smartphone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device’s Wi-Fi connection and use your mobile device’s cellular data internet connection instead of making the transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone’s open Bluetooth connection when you are not using it and steal personal information.

Be cautious when charging

Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software.

Don’t fall victim to phishing scams

If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from https://www.idtheft.gov/.

For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices. (12/14/18)


Check the Sender

This week’s tip is about checking your email on mobile devices and finding out the sender’s actual email address. Most apps only show the “display name” of the sender on screen and not the email address with whom it is associated. However, if a friend or colleague’s name is spoofed, it looks like the email is from them. On most apps, you can click on, or press and hold on, the sender’s name in the email to see the details about the sender’s email address. If this doesn’t work, research how to see the email address for the specific app and device you are using. (12/07/18)


Protecting Against Identity Theft

As the holidays draw near, many consumers turn to the Internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan. (11/30/18)


Holiday Shopping

At this time of year, we cannot stress enough to be cautious in holiday shopping, whether online or in person. If shopping online, make sure the website is secure with an https:// or a lock icon by the URL field.

Don’t click on links wanting you to track your holiday packages. Go to the shipping site directly. Be aware of who is handling your credit card when it is not in your possession.

Lifelock has a good article on tips for online shopping. It can be found at https://www.lifelock.com/learn-internet-security-safe-holiday-online-shopping-tips.html.

(Or search the Internet and find the article instead of clicking on a link!) (11/21/18)


National Fraud Day

November 11th, was Veterans Day. We want to take a moment to thank all Veterans for their service.

Yesterday was also National Fraud Day. Unfortunately, fraud is a worsening problem. According to Javelin Strategy & Research, there were 16.7 million victims of identity fraud in 2017, beating the previous year’s record high. The total cost of that identity theft was a staggering $16.8 billion, and nearly a third of US consumers had to be notified of some sort of breach (remember the Equifax breach? There’s a good chance that you were one of the 143 million people affected by it). Account takeovers also tripled in 2017, causing a total of $5.1 billion in damages. On an individual level, each victim paid an average of $290 out-of-pocket and spent 15 hours trying to resolve the fraud. Not the way I’d like to spend my spare time or money!

So how can we as consumers protect ourselves? Passwords are a great place to start. Of those that participated in the Consumer Fraud Awareness survey by Shred-It, half felt that their security practices made them vulnerable (49%) and admitted to reusing passwords and PINs (51%). Clearly, consumers understand that bad password habits make them vulnerable, but they don’t change these habits. Perhaps the thought of having a strong password for each online account is too daunting. If you feel that way, maybe a password manager is an option to consider. At the very least, make sure that your financial accounts have strong passwords, even if it requires a little extra effort to remember them. Another option is good old-fashioned pen and paper. While you don’t want to leave Post-it notes with your most sensitive passwords on every surface of your cubicle or office, writing down an important password and keeping it a fireproof lockbox is never a bad idea when the alternative is creating a weak password or reusing a password.

Finally, keep an eye on your accounts. You won’t be able to respond to an incident if you don’t know that it’s happened. Check your bank statements frequently and don’t forget that you’re entitled to one free credit check a year from each of the Big Three credit reporting agencies. If you spread these checks out throughout the year, you can check your credit at annualcreditreport.com for free every few months to make sure that someone hasn’t stolen your identity and is opening up lines of credit in your name.

Article: https://threatpost.com/threatlist-despite-fraud-awareness-password-reuse-persists-for-half-of-u-s-consumers/138846/   (11/16/18)


Ctrl-Alt-Delete

This week’s tip is a reminder that when you leave your seat, Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power. (11/02/18)


What is a Social Engineer?

This week’s tip is a reminder never to give out information without first verifying the identity of the person requesting it. A social engineer is a person who attempts to get confidential information purely through social skills, such as by calling and asking for passwords or other sensitive information. They will often claim to be a member of your organization or an organization that works directly with you, and may even know detailed information about your organization and your coworkers. Never give out information to anyone without verifying their identity first. Use a second means of communication to verify. The means that you shouldn’t reply to an email for verification but pick up a phone and call the requester, or go see them in person. (10/26/18)


Encrypt Sensitive Data

This week’s tip is a reminder to encrypt any sensitive data when stored and transmitted. This goes for internal emails also, not just information leaving the UTHSC system. The use of the vault (https://vault.utk.edu) is the best way to send confidential files quickly and securely. You can also encrypt emails by adding the word “encrypt” to the subject line of any email from the UTHSC domain.

More information about email encryption can be found at https://www.uthsc.edu/its/information-security/encrypt-your-email.php. (10/19/18)


Lock Your Mobile Devices

This week’s tip is short and sweet. Lock your mobile devices. Every one of them. Make sure your family members are locking theirs also. Think of how many apps that have passwords that your phone or tablet automatically store so that you don’t sign in every time you launch the app. Think about how much information someone could get if they got your phone and could access all that data. (10/12/18)


IoT Devices

The world’s population in 7.2 billion people. There are 255 births globally per minute. What is growing faster than that population? The Internet of Things. By 2020, it is estimated that there will be almost 31 billion IoT devices. Each one of these devices that connect you to the internet is a way into your network and your information. Change the default password on all these devices!

These are your smartphones, your in-home monitoring devices, your doorbells, kitchen appliances, TVs, insulin pumps, heart monitors, lawn mowers (believe it or not!), tablets…..and the list goes on and on. (10/10/18)


National Cybersecurity Awareness Month is Here!

This week’s theme for National Cybersecurity Awaremenss Month is “Make your Home a Haven for Online Safety”. Our UTHSC community consists of members from every generation with different thoughts on technology. What we all have in common though, is a need for safety when using the internet, whether at home or at work.

Did you know that 48% of U.S. consumers intend to buy at least one smart home device in 2018? Privacy and security are of great concern when purchasing these devices. Everyone, no matter what generation, needs to continuously learn about and practice good cybersecurity at home .

Don’t be the weakest link!  Tips for staying safe online can be found at Stay Safe Online. (10/04/18)


USB Drives and Viruses

This week’s tip is a caution about USB drives. Remember the USB drives can carry viruses. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. Never plug in an unknown USB into your device. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place. (09/27/18)


Seriously - Never Share Your Password!

This week’s tip is a reminder to NEVER SHARE YOUR PASSWORD. If anyone is asking for your password, it is NOT for a legitimate reason. Your password is your gateway to whatever system you are accessing, whether it is a system on campus with your NetID, or your banking information, social media accounts, or other systems. Don’t give your access away. Keep your passwords private! (09/20/18)


Don't Click on Phishing Links

Because of the persistent phishing attempt that happened last Friday afternoon and over the weekend, this week’s tip is a reminder to not click on links in emails. While the phish was cleverly created, using a Subject line from a compromised account that was a current conversation, a hover over the link would have alerted everyone that it was not an Office 365 or Outlook message.

Take time before clicking on links to verify it is to a site you are expecting.  This attack was widespread because it was pretty clever. We have to be just a clever and vigilant!

If your account was compromised and you have yet to speak to the Information Security Team about the content of your UTHSC emails, please contact the team at 901-448-1880.  (09/14/18)


National Preparedness Month

September is National Preparedness Month. While this is usually thought of readiness for a natural disaster, the same is true about preparing for a cyber-related event, such as identity theft of ransomware attack.

People are encouraged to be prepared in case of a cyber-related event by regularly backing up files, keeping digital copies of important documents somewhere other than your computer (e.g., in the cloud), and regularly running antivirus scans.

Learn more about individual and family emergency preparedness at Ready.gov. For additional resources on preparing for and responding to unexpected cyber-related events, see Ready.gov/Cybersecurity and the following NCICC (National Cybersecurity & Communications Integration Center) Tips:

Stay safe and prepared!  (09/07/18)


Don't Open Attachments

This week’s tip (reminder) is about not opening attachments in emails. If you are not expecting a document to be delivered to you, proceed with caution! Email is an easy gateway to your devices and information. Macros in word documents or PDFs can trigger things to happen that you aren’t even aware of. If you receive an attachment you are not expecting, contact the sender to ask about it. Don’t reply to the email, but use a second way of communication to verify. (08/31/18)


Change that Password

This week’s tip is to change you password immediately if you suspect that you have been compromised. This applies to your UTHSC NetID password, your banking accounts, social media accounts and everything else that is password protected. Also, NEVER use the same password for multiple accounts. Each account should have their own unique password. (08/24/18)


Just Don't Click!

This week’s tip is a reminder not to click on links in emails, even if it is from someone you supposedly know. UTHSC was hit hard this week with many people giving away their NetID passwords in a phishing scam. The phishers then used the Sent Items of those compromised accounts to pretend to “continue” a conversation, using the Subject line of a previous email, but asking the person to click on a link and sign in to read a message. This gave the bad people even more NetIDs and passwords to continue the phish.

Remember:

  • Do not click on links in emails!!!!!
  • If you have concerns about an email, call the person and ask if it is legitimate. DO NOT reply to the email, as the bad people have control of the account. Use a second means of communication.
  • Hover over links in emails to see exactly where they want you to go.
  • Do not click on links in emails!!!!!
  • Report any suspicious emails to abuse@uthsc.edu. The quicker we know, the faster we can stop the attack.
  • Do not click on links in emails!!!!!

Stay safe out there in the cyber world!

For more information, or if you would like an Information Security Team member come talk to your group about this or any other InfoSec topic, contact the team at itsecurity@uthsc.edu. (08/17/18)


Password Protection and Reporting Suspicious Emails

Part One

You have been advised time and again not to share your password with anyone. That’s great! You know it and live it. But what happens when someone asks for it? You know not to give it out, but what do you say to this person (on the phone or in front of you)? You don’t what to be “rude,” you want to be accommodating, you are starting to stress because you don’t know how to respond.

Here is your response: “I have been told never to share my password with anyone. I will not give it to you.”  THE END

If they insist, simple repeat the script. It is all you need to say.

Part Two

This campus cannot be protected without the you the people. And yes, I mean you – each and every single one of you. It is so invaluable when a scam or phishing email is reported to abuse@uthsc.edu. As soon as it is reported, we go to work. If it is a link to a bad URL, we work with Networking to block the site so no one can get to it while on our network. If it is a wide-spread attack or a malicious download, we work with Systems to remove the email from everyone’s inbox so that no one has to even see it. Timeliness is the key. The sooner we know, the sooner we can act. Most of the time, the bad people don’t send the bad emails to us personally, so we don’t know about it until someone reports it.

So, the big, well deserved THANK YOU goes out to everyone who reports these phishes and scams to abuse@uthsc.edu. Your help is appreciated more than you know. We invite everyone to send in your suspicious emails. Even if you are unsure, forward to us. We’ll let you know if it is legitimate. Better safe than sorry (08/10/18)


Toolbar Downloads

This week’s tip is about those pesky toolbars that software downloads want you to load.  These usually come as a small check mark when downloading software (as a “free” install). These toolbars can be a nuisance or even malicious. Be cautious on what you download! (08/03/18)


Protect Your Personal Information

Companies you do business with should never ask for your account information, credit card numbers or password in an email. If you have any questions about an email you receive that supposedly came from your financial institution or service provider, contact them directly (not replying to the email) to verify. (07/27/18)


Tech Support Scams

The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. (07/20/18)


Use Care When Logging In

This week’s tip is a reminder to be careful WHERE you login. Don’t login to untrusted devices. A password is only as secure as the computer or network it is used on. As such, never log in to a sensitive account from a public computer, such as computers in a cyber cafe, hotel lobby or conference hall. (07/13/18)


Don't Click Links!

At least in unsolicited emails, that is.  Holiday weeks usually see a spike in phishing attempts, and this week was no exception. Did you get an email this week with a subject of “Thank you for your contribution” or “Termination Notice”? How about “Update Required!!” or “PART TIME JOB OPPORTUNITY”? (Got to love the ALL CAPS!). (07/06/18)


Managing Your Privacy Settings Online

You get great advise that you need to manage your privacy settings, but how do you go about doing that on each app that you have? The National Cyber Security Alliance has a great web page that gives clear instructions on how to manage your privacy settings for many common apps. (06/29/18)


Safety Awareness Month

Does anyone know what June is? It still is Internet Safety Awareness Month. This week’s tip is about malware, ransomware and botnets. Botnets? What are those? Can they hurt my devices? Educating yourself about what is out there that can harm you is half the battle of keeping safe. Learn more about it!

The National Cyber Security Alliance has an article about all of these issues.  They even have tip sheets that would be great for your office area, or your family members. (06/22/18)


Backups!

These days, our digital devices contain vast amounts of data, from family photos and music collections to financial/health records and personal contacts. While convenient, storing all this information on a computer or mobile phone comes with the risk of being lost. Here's the entire article about the importance of backing it up! (06/15/18)


Shopping Online

Let’s talk about online shopping. There are many ways to stay safe online when you shop. The National Cyber Security Alliance has a comprehensive article about how to protect yourself when shopping online.  (06/08/18)


Internet Safety Month

June is Internet Safety Month, so all the tips this month will have the theme of Internet Safety. This week’s tip is about Spam and Phishing. Wait-isn’t that about emails?
While you would normally associate those attacks by receiving emails, they can come from other sources such as social media and other communications. And they most likely want you to access the internet to gain your information.

Here are some tips on how to avoid being a victim:

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Before sending or entering sensitive information online, check the security of the website.
  • Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • If you are unsure whether an email request is legitimate, forward the email to abuse@uthsc.edu. We can check it out, and if it is a malicious email, we can block the website so other campus members cannot click on the link.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

The National Cyber Security Alliance's full article about Spam and Phishing.

Stay safe in the world wide web! (06/01/18)


What is Malware?

Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (05/25/18)


Stow It!

Any time that you are staying somewhere away from home, protect your information by storing all devices as securely as possible. If there is no safe in your hotel room, ask the front desk if they have a general-purpose hotel safe that you can use. Otherwise, you should secure your items by locking them up in luggage whenever you are not using them. 05/18/18)


Bluetooth

This week’s tip is about Bluetooth. When not in use, turn it off. Not only does this make it more secure, but it also saves battery life. (05/10/18)


Never Share Your Password

NEVER to give your password to anyone. Once it is no longer a secret, it is no longer secure. If anyone calls saying they are from the help desk or tech support team and asks for your password, they are not legitimate. It is someone trying to access your credentials.

Twitter announced yesterday that everyone with an account should change their password. It seems as if Twitter stored everyone’s password in an internal file that was not encrypted. While they claim that the password file was not breached or exposed in any way, they are recommending that every Twitter account user change their password. Might be a good time to update those privacy settings, too! (05/04/18)


Lock It Up!

When away from your devices, whether it is a quick trip to get a cup of coffee down the hall or going to a meeting, lock your devices so others cannot gain access. Leaving your seat? Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power.  (04/27/18)


Keep an Eye on Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/20/18)


Mobile Apps and Social Media

With an estimated 87 million Facebook user’s information disclosed, now is a great time to check your privacy settings on all social media accounts and mobile apps. Also, make sure that your mobile apps come from trusted sources. If an app is brand new, has few reviews or many negative reviews, then choose a different one. (04/13/18)


Review All Programs on your Devices

Decide if you still use them or if they can be removed. Outdated software and operation systems (OS) are unlocked doors into your information. Just like you clean out your refrigerator, pantry or closet in a timely manner, do the same to your electronic devices……all of them! (04/06/18)


Securely Disposing of Your Mobile Device

(by Heather Mahalik, Digital Forensics Expert)

There is most likely a tremendous amount of sensitive information on your mobile device.  Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to be sure you first erase all of that sensitive information. You may not realize it, but simply deleting data is not enough; it can easily be recovered using free tools found on the Internet.  Instead, you need to securely erase all the data on your device, which is called wiping. This actually overwrites the information, ensuring it cannot be recovered or rendering it unrecoverable. Remember, before you wipe all of your data, you most likely want to back it up first. This way, you can easily rebuild your new device.

The easiest way to securely wipe your device is use its “factory reset” function. This will return the device to the condition it was in when you first bought it. We have found that factory reset will provide the most secure and  simplest method for removing data from your mobile device. The factory reset function varies among devices; listed below are the steps for the two most popular devices:

Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
Android Devices: Settings | Privacy | Factory Data Reset
Unfortunately, removing personal data from Windows Phone devices is not as simple as a factory reset. More research is being conducted on methods to ensure your personal data is wiped from the device. If you still have questions about how to do a factory reset, check your owner’s manual or manufacturer’s website. Remember, simply deleting your personal data is not enough, as it can be easily recovered. (03/29/18)


Outlook's Preview Pane

Use Outlook’s preview pane to view attachments for credibility before opening. Don’t open attachments that you are not expecting, or from people you don’t know. (03/23/18)


Scams Specifically Designed for Universities and their Students

Arizona State University created a public service video using some pieces of an actual scam one of their international students recorded. The two minute video has some very good tips and advice. It can be found at https://youtu.be/U7KV6h67U40.

(Thank you Connie Childs from International Affairs for forwarding!  If you have a tip you would like to share or a topic you would like discussed in these weekly tips, please email Chris Madeksho, Information Security Coordinator, at mmadeksh@uthsc.edu. (03/16/18)


Detecting Fraud

Review your bank, credit card and financial statements regularly to identify unauthorized activity. This is one of the most effective ways to quickly detect if your bank account, credit card or identity has been compromised. (03/09/18)


Protect Your Social Media

A strong password or passphrase is key to keeping your information private. Also, check the privacy settings to make sure that you are not sharing information you don’t want to. Last, use two-factor authentication whenever possible. (03/02/18)


Prevent Device Loss

According to the Verizon DBIR report, you are 100 times more likely to lose a laptop or mobile devices than have it stolen. When traveling, always double-check to make sure you have your mobile device with you, such as when leaving airport security, exiting your taxi or checking out of your hotel. (02/23/18)


Scams, Scams, Scams and more Scams!

This week’s tip is a reminder that there are always numerous scams where criminals are trying to social engineer you out of money or your personal information. They use whatever scheme that works.

Examples are calls/texts from the IRS stating you owe taxes.  How about a donation to help fund the Olympic team on their quest for gold? In the news this morning was the “Love Scam” where people are getting messages that someone has compromising pictures of them, or proof that they did inappropriate acts and will make the situation go away for just a little fee.

The Online Threat Alerts website keeps track of the latest online scams.

Stay safe everyone!  If something looks too good to be true, it probably is.  If you have any questions about an email, phone call or text message, don’t hesitate to contact the Information Security team at itsecurity@uthsc.edu for help. (02/16/18)


Email Attachments

We’ve had a rash of phishing attempts on campus with attached “receipts” or “invoices” that need attention. If you are not expecting an invoice or a receipt for something you purchased, DO NOT OPEN THE ATTACHMENT. It is probably meant for malicious purposes. Send any questionable emails to abuse@uthsc.edu. (02/09/18)


Trust Your Instincts

Common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.  If you receive any such message, report it to abuse@uthsc.edu.  We can let you know if it is a legitimate message or if you are being phished.

Two of the modules in the Information Security Training is about Social Engineering and Email, Phishing and Messaging. These along with the other modules are helpful information for everyone personally.

Make sure you and your coworkers have completed the Information Security Training for the 2017-18 academic year. The information you receive is very much worth the 30-40 minutes of your time. (And it is required training.) (02/02/18)


Malware

Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (01/26/18)


Social Engineers

This week’s tip, from inspiredelearning.com, is to be be suspicious of people you don’t know who ask for information.

“Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers.  Don’t fall for it!  Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information. (01/18/18)


Major News Events and Phishing

When a major news event happens, cyber criminals will take advantage of the incident and send phishing emails with a subject line related to the event. These phishing emails often include a link to malicious websites, an infected attachment or are a scam designed to trick you out of your money. (01/05/18)


Fradulent Emails

The FBI Internet Crime Complaint Center is warning consumers about a fraudulent email scam. The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyberattacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in financial loss you should contact your bank immediately.

If you unintentionally visited or encountered a site suspected of utilizing this scam, you may also report it to your local FBI Office and/or the Internet Crime Complaint Center (IC3): www.ic3.gov. (12/22/17) 


Multi-factor Authentication

Multi-factor authentication is the practice of needing more than just a password to log into a system or application. It is one of the best ways to secure any account. Usually the second step is a code that is sent to an outside receiver, such as a cell phone. If you don’t have both the password and the pass code, you don’t get in. Many services, such as Google and Facebook allow a user to have two-factor authentication. (12/15/17) 


Don't Fall for It!

There are two prevalent holiday themed phishing schemes that happen this time every year. The most common is the email letting you “track your package” by clicking on a link. Don’t fall for it.  If you really are expecting a package, or get a notification about a delivery, go to the website from which you purchased the item and track your order from there.

The second phishing scheme that is gaining in popularity are fake shopping sites.  These are sites either found on social media or delivered via email, enticing you with a product that would make a great gift for a loved one. They want you to click on the link to go shopping, and the website might even look legit.  However, all they are wanting is your credit card and other personal information. Only go to trusted site to do any holiday, online shopping.

When shopping online, look for https:// in the URL or a green lock symbol to verify that the site you are on is secure. (12/08/17) 


National Tax Security Awareness Week

This week has been designated at National Tax Security Awareness Week. The IRS has been publishing tips and news releases all week to encourage both individual and business taxpayers to take steps to protect their tax data and identities in advance of the 2018 filing season. All their information can be found at https://www.irs.gov/newsroom/national-tax-security-awareness-week-2017. (12/01/17) 


Shopping Tips

Be cautious of emails or texts you receive that look like they are from shipping companies wanting you to “track” a package. Do you click on links in emails?  NO!!!! Think if you even have a package to track. If so, go to the shipping company’s webpage to track it. Other holiday schemes seen every year are fake charities hoping to cash in on your generosity. Never respond to an email from a person you do not know.

Shopping online this season? Be careful about what personal and financial information you give away and to whom. Make sure that you are on a secure website (https://) or see the lock symbol next to the URL.

Also – think about what you are buying. Are you purchasing something that either you or the person receiving the gift will connect to the internet? Make sure it is secure.

There is an Online Holiday Shopping tip sheet from the National Cyber Security Alliance that can be found here:  https://staysafeonline.org/resource/happy-online-holiday-shopping/. (11/22/17) 


Never Share Your Password

This week’s tip is a reminder NEVER to give your password to anyone. Once it is given out, it is no longer secure. The Help Desk will never ask for your password. If someone calls you and asks for your password while saying they are from the Help Desk or Tech Support team, it is an attacker attempting to gain access to your account.

Be cautious of anyone asking for personal or sensitive information if you are not completely sure of who they are. Just because they say they are from your bank, doctor’s office, or another trusted place, doesn’t mean that they really are.  Use another means of validating their request for information, such as visiting their website directly from a browser, or calling them directly (not from a phone number listed in an email). (11/17/17) 


You're the Weakest Link

This week’s tip is a reminder that you are the weakest link regarding the security of your information. You don’t have a firewall protecting what you say.

Sites have requirements on passwords (how long, special characters, etc.), but if you still use your name and your birthdate, bad guys can figure it out.

If you post everything about you online, bad guys will learn your habits, your family’s information, and who your best friend is. They can also find out when your entire family is on vacation and know when you will be out of your house for an entire week.  Why???  BECAUSE YOU TOLD THEM.

Be cautious about what you say, who you say it to, what you post online and what you receive in email or test messaging.

All this information is covered in this year’s Information Security Training, available now in Blackboard. (11/10/17) 


Clean Machine

Keep a clean machine. Cyber criminals frequently exploit vulnerabilities in old software for their attacks, which is why it is essential to regularly update the software on your Internet-connected devices (including PCs, smartphones, and tablets) to reduce the risk of infection from viruses and malware. (11/03/17) 


Share with Care

Share with care. Think before posting about yourself and others online. Once you post something publically, it can never be fully deleted, so use caution. Consider what a post reveals, who might see it, and how it could be perceived now and in the future. Remember that future job recruiters and employers will likely look at your social media history and online presence, so make sure that you maintain a good reputation online. (10/27/17)


Value it. Protect it.

Treat personal information like money. Value it. Protect it. Information about you, such as your purchase history and location, has value – just like money. Not all apps and websites are reputable, so it’s up to you to protect your data from being misused. Be sure to read privacy policies and know what information an app, device, or website will collect about you to determine if you really want to share such details. Always be cautious about who you give your information to online. Research an app or device manufacturer or read independent reviews of a website before you trust them. (10/19/17)


Own Your Online Presence

Control and limit who can see your information online by checking the privacy and security settings on your accounts and apps. Anything you post publicly could potentially be seen by a cyber criminal, so keep your personal information private. Your phone number, birthdate, address, and even pictures that show the license plate on your vehicle should not be posted publicly. You should also turn off geotagging and location features on your mobile devices so criminals don’t know where you are in real time. (10/13/17)


National Cyber Security Month

In conjunction with National Cyber Security Month, these weekly tips in October will be brought to you the Department of Homeland Security.

One small step can make a big difference in your online security. Each week during NCSAM, we’re sharing a quick and easy tip that you can try today to better protect yourself online.

Lock down your login. Usernames and passwords are often not enough to protect important accounts like email, banking, and social media. Fortify your accounts by enabling the strongest authentication tools available, such as multi-factor authentication for your online accounts and fingerprint identification and security keys to lock your mobile device.

The White House launched the “Lock Down Your Login” campaign to encourage all Americans to enable stronger authentication. Visit www.lockdownyourlogin.com for more information. (10/05/17) 


Bluetooth

Turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (09/29/17)


Email Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (09/22/17)


CEO Fraud

CEO Fraud is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, teacher or someone else in authority in our organization, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures. (09/15/17)


Protect Your Personal Information

With the announcement from Equifax yesterday about a breach of data affecting some 143 million Americans’ personal information, the Information Security Team would like to remind everyone what steps you can take to stay safer and more secure online. These tips come from the National Cyber Security Alliance.

Following any breach, everyone can better protect their accounts by following these steps to stay safer and more secure online, including:

  • Lock down your login. Use strong authentication — more than a username and password to access accounts — to protect your most valuable accounts, including email, social media and financial.
  • Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
  • Monitor activity on your financial and credit card accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website identitytheft.gov.
  • When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts, and get information only from legitimate sources. (09/08/17) 

Last Published: May 17, 2019