October is National Cyber Security Awareness Month, and this year celebrates its 10th anniversary (as well as the first time we’re highlighting it at New Paltz). This month, we will be kicking off some new promotional material focusing on Cyber Security Awareness. You’ll be seeing these around campus starting this week.
The campaign’s slogan is: STOP. THINK. CONNECT. What does it mean?
STOP: Before you use the Internet (including email, social media, eCommerce sites, and campus systems and services), take time to understand the risks and learn to spot potential problems.
THINK: Take a moment to make certain the path ahead is clear. Consider whether you are at a legitimate site, or one that is appearing to be legitimate.
CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself, your computer, and (for faculty & staff) the sensitive data that you may have access to.
These aren’t just meaningless slogans. When our faculty & staff have fallen for scams, they almost always say after the fact “I just wasn’t thinking” or something of that nature. With how fast our lives and communications move, we start operating almost automatically and its easy to skip thinking about the situation you’re in. Online though, you have to stay mindful of what you are doing before connecting to the site or system you are using.
So you’ve heard all our warnings and pleadings about fraudulent attempts to get your campus username & password. You may be thinking “So what? Its not like I have anything important on my New Paltz account, what does it matter?” or more commonly, “Why are they (the scammers) even bothering?”
Well, there are lots of reasons to be concerned. Aside from the duty all employees have to safeguard their usernames and passwords as a matter of policy, there are several types of harm that can come from your username & password being obtained by criminals (i.e. Phished).
- Many people on campus have access to sensitive information (in sources such as Banner, Blackboard, or their campus Email account). Inadvertently giving your credentials out to criminals can potentially expose these sources of information.
- A phished account is almost always used to send fraudulent messages. These fraudulent messages will be sent not only to random people around the world, but your own colleagues and contacts in your address book. Future messages to these people even after your account has been cleaned up may be blocked (since past messages from your account were fraudulent).
- You could cause mail from SUNY New Paltz to be blocked or delayed. When email service providers detect an inordinate amount of spam complaints about mail from a certain source (such as SUNY New Paltz), they may block or throttle all of it over time. Getting these blocks removed takes time and mail to our students, faculty, and staff could be lost during the block.
- Having your New Paltz account compromised could lead to other, personal accounts (your financial accounts, your social media accounts, etc) being compromised. If you either used the same password on your New Paltz account as other sites (which you shouldn’t) or you used your New Paltz account as the ‘recovery email’ for another site, you are leaving yourself at risk if your New Paltz account is compromised.
Everyone has seen or heard about scam emails sent which try to get you to give out sensitive information (usernames, passwords, bank accounts, social security, etc.) or contain viruses. What is becoming more common though is computer related fraud over the phone.
How to recognize fraudulent phone calls
- The caller will state that they are from “Windows Support”, “Google Support”, or some other technology company. They will say they are calling about your computer.
- The calls will frequently (though not always) have international or odd (not the standard digits) caller ID numbers.
- The calls will be unsolicited (they won’t be a follow-up to an existing support case you may have).
- They callers will often speak in heavily accented English.
What to do if you receive such a phone call
Just hang up. Don’t give your name or any other information to the caller and definitely do not follow any of the instructions they tell you.
If you’ve already been a victim of these calls
If you have already been contacted by these callers, and did what they asked you, then do the following:
- First – change ALL passwords to sensitive sites that you use, especially financial institutions, New Paltz accounts, other email accounts, and social networking.
- If you are a faculty or staff member and this happened on your office or other campus-owned computer, contact the Faculty/Staff Help Desk for assistance in cleaning out your computer of any malware the criminals had installed.
- If you are a faculty or staff member and this happened to your personal computer, seek professional assistance (via a local computer repair service) to make sure your computer is virus/malware free.
- If you are a student, seek assistance at the Student Help Desk.
By now, most people have seen at least one phishing email. The campus was hit with a few very widespread mailings earlier in the Fall 2012 semester. We’re going to cover what Phishing is, why it is used by criminals, and most importantly how to recognize it when you see it.
What is Phishing?
The term is a portmanteau of phreaking and fishing. The term is used to describe methods where a user is baited into getting hooked by a scam. The actual bait used can be a promise of reward (click here to win!) but is more commonly a warning or threat. This includes phrases such as “click here to validate your account within 48 hours or your email will be shutdown“, or “we’ve seen suspicious activity on your account, reply back with your username and account number to prevent your credit card from being closed”.
What is their purpose?
It depends on what kind of email you are receiving and what the immediate goal of the scammer is, but the end goal is always financial gain for the criminals involved. There are two primary types of Phishing emails that I’m going to call primary and secondary phishing.
Primary phishing is when the criminals are looking for the information which will net them actual financial gain. This is usually credit card numbers, bank account numbers, usernames & passwords for banks, paypal, or ecommerce sites, etc. When users provide this information to the criminals, funds are pulled from these accounts (often within minutes). These scams are much harder to get through spam filters, especially when sent from random free email accounts like AOL or Hotmail.
Secondary phishing is when the criminals are looking to obtain usernames & passwords for email accounts, especially at ‘trusted’ email providers like businesses or colleges. These emails try to get you to think something will happen to your email account if you don’t comply. They may not even try that and will just have an email with a link (and the link asks you for your username & password). When the scammers have the usernames & passwords for accounts at trusted providers such as SUNY New Paltz, they are then free to send their fraudulent emails for financial gain (Primary Phishing) to addresses across the Internet, with more likelihood that they will be allowed through spam filters.
How to recognize phishing
- Be cautious about clicking on links in emails, and be doubly cautious if you have clicked a link and it brought you to a page that requires you to login.
- Don’t be fooled by names alone. For more sophisticated phishing attacks, the criminals will take the time to study their targets. They may put the name of someone you know in the email to make it look more trustworthy.
- Think about what you are being asked to do. If the sender is legitimate, do they really need what they are asking? For example, a common tactic is for scammers to ask you to validate your account by logging in. If you’ve received their email (and you already have to login to access your email) then what is the point of this supposed validation?
- Phishing doesn’t just happen over email. It can be over the phone as well. If someone calls saying they are from your Bank (especially when they don’t even mention the NAME of the bank), then you don’t verify who you are to them, they called you. Ask them to verify who they are. If in doubt, hang up and call the business or institution directly (through a number on your statement/card/etc.)
If you follow a few safety guidelines, its really not difficult to protect your computer from getting infected with viruses, spyware, and other malware. Its equal parts technical protections and common sense.
- Keep your software updated. Its extremely important to have your computer’s software up-to-date. This especially is true for the following (which are the most common vectors for virus infection):
- Operating system updates (Windows Updates and any Apple updates)
- Updates to Adobe Flash & Adobe PDF
- Updates to Java (note: When Java updates, if you don’t specifically uncheck a box during the install, it will want to install an unneeded ‘toolbar’ which you don’t need. Make sure to uncheck any unneeded extras that are offered when updating.
- Updates to your web browser. Recent versions of Firefox, and all versions of Google Chrome automatically update to the latest version. Note: Internet Explorer 9 is still not certified with Banner. If you use Banner in your office, don’t update to Internet Explorer 9.
- Be cautious about what you are downloading online. Don’t pollute your computer with toolbars, screensavers, cool mouse cursors, etc. Don’t download games to your work computer.
- When downloading something, ask yourself if you need it (and if you’re at work, ask yourself if its appropriate for your work computer).
- Don’t believe warnings about viruses on your computer unless they come from the Anti Virus that you actually have on your computer. A common tactic of criminals is to have fraudulent warnings about viruses (either as ads or pop-up ads) on websites. Legitimate anti-virus messages will come from Symantec for campus computers and will come from whatever anti-virus you have installed on your home computer.
For extra protection, consider using Mozilla Firefox or Google Chrome with an Ad Blocking plugin for your web browsing whenever possible. You’ll have to continue using Internet Explorer for Argos and Banner for now at least.
Ad Block Plus is available for Mozilla Firefox and Google Chrome at: http://adblockplus.org
As we have advised in the past, it is a good practice to keep have separate accounts for work and personal email. In this age of e-discovery, this is becoming even more important.
It has always been a best practice to have a campus Zimbra account to use for work email and calendar. For those of us who started using “newpaltz.edu” years ago, we may have had a mixture of personal end College emails going to that account. In addition, a few of us may not want to “bother” checking two accounts, and so we forward all of our “newpaltz.edu” email to our Google or Hotmail account and read and respond to work correspondence from there. This is not a good practice. Security may well be different on your personal email account and it is best to have potentially private correspondence about staff and students in a more secure place. Also important, we are in the age of e-discovery where electronic correspondence may well need to be archived and potentially reviewed subject to a court order for cases pending against the University. If you have a mixture of College and personal emails going to a single account, everything co-mingled in that account may be scanned subject to the court order. This unintended and undesirable consequence is easily avoided by having a “work” email account which is used somewhat strictly just for College business.
If you’ve been keeping things together for a long time (and having personal mail sent to your New Paltz email), now is a good time to start weaning yourself off this. Setup a personal email (if you don’t have one, we recommend GMail) and start having your friends and personal contacts use that address instead of your New Paltz account. Its not something you have to cut over all in one day (and doing so gradually will make the process easier). Aside from that, its nice to be able to check your personal email at home & on vacation without seeing your work email hanging over you!
One of the major ways that security issues happen is when people click on what they think are safe, legitimate links in email, but are in fact, fraudulent. Before getting started on how to recognize these, I’m including some links below. I’ve made all except the last non-clickable since some of them are fake. Which of the following are real and which are fake? Look at each one carefully and guess.
- Fake: when looking at a web address, separate the address into two parts. The first is the ‘domain name’ which is to the left of the first forward slash (/). In this case, that would be www.newpaltz.wordpress.com. This site has newpaltz in the name, but is really a ‘subdomain’ to wordpress.com. That is not legitimate but this is a common tactic by criminals. Put some portion of the ‘target’ in the subdomain to make it look real.
- Real: The portion before the first / is a newpaltz.edu site. This is legitimate even though it mentions www3 instead of www.
- Fake: The address after the slash is chosen to make it look like it belongs to SUNY New Paltz but it is an external site.
- Uncertain but potentially dangerous: This is a google docs link. If you go to this site and just see a document, its safe. If you go to this link and it asks you to login, then you should be extremely suspicious. There are some RARE circumstances where you do need to login to see a google doc, but you would almost certainly be expecting these (i.e. its coming from a student or classmate who is sharing a document with you).
- Fake: We’re newpaltz.edu not newpaltz.com
- Fake: The link ‘text’ is blackboard.newpaltz.edu but if you highlight the link with your cursor, you’ll see that its not bringing you to Blackboard but an alternate site (scamsite.com – but the destination may not look that obviously suspicious).
For more examples, we highly recommend taking these two online quizzes. Take them and see how you do. For those you get wrong, look carefully as to what caught you.
Welcome to “Hawkland Security“, the Information Security Awareness site of SUNY New Paltz’s Computer Services Department. This newsletter is where we keep Faculty, Staff, and Students of the college aware of some timely and ongoing threats you should be aware of online. Our goal with this is to make you aware not just of specific threats, but how you can recognize these threats in the future.
Being cautious online not only helps protect your own identity and computer, but the college and its sensitive data as well. Its the obligation of everyone to be cautious when online, especially if you are someone who has access to sensitive data.
To suggest topics for future issues, email firstname.lastname@example.org
- Paul Chauvet, Computer Services