April: Don't Be Fooled - Protect Your Identity

Don’t Be Fooled - Protect Your Identity

Some tricks are kinda funny (like making a fake sundae out of mashed potatoes), but identity theft is no laughing matter. Around tax time, there’s an added incentive to scammers, too - with enough personal information, they can redirect your refund check. (Sadly, there are no outstanding scams attempting to *pay* your tax bill. Sorry).

This month we’ll review some precautions you can take to avoid being fooled by scammers this April (and, you know, during other months, too). The good folks at Educause have done the heavy lifting for us -- below you’ll find their sage advice for protecting yourself from identify theft. It may look familiar (we’ve mentioned some of this before), but good tips bear repeating.

  • Read your credit card, bank, and pay statements carefully each month. Look for unusual or unexpected transactions. Review recurring bill charges.
  • Review your health insurance plan statements and claims. Look for unusual or unexpected transactions.
  • Shred it! Shred any documents with personal, financial, or medical information before you throw them away.
  • Take advantage of free annual credit reports. In the US, the three major credit reporting agencies provide a free credit report once a year upon request.
  • If a request for your personal info doesn’t feel right, don’t feel obligated to respond! Legitimate companies won’t ask for personal information such as your social security number, password, or account number in a pop-up ad, e-mail, text, or unsolicited phone call.
  • Limit the personal information you share on social media. Also, check your privacy settings every time you update an application or operating system (or at least every few months).
  • Put a password on it. Protect your online accounts and mobile devices with strong, unique passwords or passphrases.
  • Limit use of public Wi-Fi. Be careful when using free Wi-Fi, which may not be secure. Consider waiting to access online banking information or other sensitive accounts until you are at home.
  • Secure your devices. Encrypt your hard drive and ensure that your systems, apps, antivirus software, and plug-ins are up-to-date.

Man with thought bubble that says: As a young child, my Mother told me I could be anyone I wanted to be. Well it turns out, the police call this 'identity theft.'

And if you suspect you’ve been a victim of identity theft (whoops), watch this short video:

2FA News: Porches & Student Employee Enrollment

Speaking of identity protection, there are changes afoot for UD’s 2FA program:

  1. Porches is now 2FA-enabled: Last month’s Porches upgrade added 2FA protection. The bad news (as you’ve likely noticed) is that this lands us with a one-two punch of login + 2FA for Porches and Gmail back-to-back (it’s a pain). But the good news is that our personal employment information in Porches (W2s, direct deposit, etc.) is now much safer. And with all the tax fraud and whatnot going on lately (see below), we can sleep safer knowing that.
  2. Student employees enroll in 2FA this month: Because student employees (current and former) also have sensitive employment info visible in Porches, they’re being asked to enroll this month. This Wednesday, affected students will be notified by the IT Service Center that they need get on 2FA before April 20th. If you have student employees in your sphere of influence, please influence them to enroll with alacrity! (But after Wednesday.)

The “See Below”: Security Stakes are Rising
We try to avoid Chicken Little-ing the risks of data theft, but this recent article about BGSU speeding up its 2FA implementation left us a bit unnerved. An excerpt:

“Last month, an especially tricky phishing scam fooled several students who are also employed at the university into giving away their BGSU portal passwords, after which the thieves changed the victims’ direct deposit information so that their money went to accounts controlled by the phishers.

In other scams, the phishers would change the routing number for a bank account tied to a portal user, and then cancel that student’s classes near the beginning of a semester — thus kicking off a fraudulent refund. One of the victims even had a fraudulent tax refund request filed in her name with the IRS as a result, Haschak said. “They went in and looked at her W-2 information, which is also available via the portal,” he said.

While BGSU sends an email each time account information is changed, the thieves also have been phishing faculty and staff email accounts — which allows the crooks to delete the notification emails. “The bad guys also went in and deleted the emails we sent, and then deleted the messages from the victim’s trash folder,” Haschak said.

Yikes . . . talk about hitting a little too close to home. For our money, if 2FA helps avoid that mess, it’s worth the extra login time.

Taking Control of Passwords: Protecting “High Value” Accounts

In February and March we talked about creating extra-strong passwords. And way back in January we categorized our computing accounts based on the kind of information stored there. This month, we put the two together.

Our action item for April: Equip your high-value computing accounts with strong passwords. Remember: “high value” accounts include financial, tax, healthcare and government accounts that likely have direct access to our financial or sensitive personal information. And, while you’re at it, see if those accounts offer 2FA, since they store the data we *most* want protected.

Cartoon showing a boss reciting an extremely long password to an employee. The employee then says: Maybe I'll let you type your own password

Once your high-value stuff is properly passworded, you may wonder “How often should I change this extra-strong password to a new extra-strong password?” Great question.

Here’s the deal - changing a password limits the time your account info is exposed if your password gets cracked. 2FA adds an extra layer of protection: if your password *does* get cracked, a hacker still needs your second factor to do any harm.

So if you’ve applied a long, complex password and the account allows for 2FA protection, you can keep that password for a good, long time (a year or even two is totally reasonable). But if you can’t add 2FA, keep a regular eye on your account activity for anything suspicious and change your extra-strong password at least annually.

As a heads-up, we’ll spend the next few months talking about Password Managers - what they are, which ones seems to work well, that kind of thing. Stay tuned.

The Phish Commish Says: That Link Might Stink

With all the email we get, it’s no wonder we skim our messages, scanning for the meaningful bits. Hyperlinks jump out as something actionable, often presenting commands like “Log in to Your Account” or “Check the Status of Your Package”. Even without imperatives, underlined, blue text just beckons us to click and obey: See link. Click link. Buttons are enticing too: Nice button. Click button. Habit. That’s where it gets you.

Red button that says click here! and points to a Rick Roll

As we’ve learned, not all links deliver what they promise. In fact, a link can stink:

  • By hiding a malicious download that infects your computer with malware, spyware or ransomware
  • By taking you to a simulated website, like your bank, where you log in and the bad guys capture your credentials or account information

It’s not always clear where a link is leading you. Look for these red flags:

1) I hover my mouse over a hyperlink that’s displayed in the email message, but the link-to address is for a different website. 2) I received an email that only has long hyperlinks with no further information, and the rest of the email is blank. 3) I received an email with a hyperlink that is a misspelling of a known website. For instance, www.bankofarnerica.com -- the “m” is really two characters -- “r” and “n.”

If a link doesn’t pass the sniff test, dump the email and have another Peep.

Image of a Peeps candy with a caption that reads in French 'this is not a peep'

March Training Recap
Last month, the phishing training email from “CEO” only tripped up 1% of us - not bad at all! Here are the red flags you likely noticed when it arrived:

SUBJECT: 1) “Important Request” -- This is a suspicious subject line because it emphasizes urgency. The IRS says this is one of the most common subject lines in tax-related phishing emails. SENDER: 2) “CEO@udayton.edu” -- There is no “CEO” per se in our institution. This is a give-away that the actual sender does not know UD and is faking an identity. REPLY TO: 3) If you started a reply to the email, you would have seen that the return address is different: CEO@udayton-edu.org This address is suspicious because it does not match the From address and because its format is unusual. True UD email addresses only use “@udayton.edu” and “@udri.udayton.edu”. LINKS: 4) If you hovered on the link in the message, you would have seen that it goes to a non-UD, non-https URL that suggests a login page will result -- all signs of a possibly dangerous link: http://employeeportal.net-login.com/XcmVDjaXBpZ...

Scam of the Month: Tech Support Sabotage

“I just received a voicemail that said it was an emergency - the license key for Microsoft Windows was due to expire - and I should call 1-800-XXX-XXXX.”

That’s one variation of the many technical support scams going around, recently reported by a cyber-mindful UD colleague. Unfortunately, we've seen faculty, staff and students alike fall for these (even some of our own parents).

There are a few flavors of this scam. You might receive a phone call from a “helpful” tech offering to fix a problem if you’ll just allow remote access to your computer. Or you might be presented with an intimidating pop-up screen warning that something dire is about to happen. . . unless you call their tech support line immediately.

The bottom line? Legitimate companies like Apple, Dell or Microsoft won’t cold call you to fix problems on your computer. And they’re not likely to harass you with a giant pop-up advertising their support number, either. If you suspect a problem, call the IT Service Center instead.

Some additional information for you:

Reading Room

In other news on the interweb . . .
  • Here’s a new trend in personal banking: Accessing money with your phone instead of a PIN# at your local ATM
  • Another reason to become cyber-mindful: Inside Higher Ed reported last month that personalized higher ed email scams are on the rise.
  • It’s all fun and games until someone hacks your kid’s babydoll. We’re now seeing reports that children’s toys can be a potential avenue for stealing personal information.
  • This infographic from TIME shows how difficult it is to completely erase yourself from the internet.
  • Your child may be a perfect target for identity theft before they’ve even got an identity; scammers appreciate the blank slate of a fresh, new SS#.
  • These stories are depressing. . . perhaps the diversion of an innocent online personality quiz will help? Nope, looks like online quizzes may be providing criminals with information to steal your identity, too.

Event! Event!
Join us April 12 from 12:00-1:00 p.m. for an HR Brown Bag session on “Cyber-Mindfulness at Home & Work.” You eat your lunch, we give you some tips for safe computing, you ask us whatever questions have been gnawing at you lately. Register here >>


Information Technologies (UDit)

300 College Park
Dayton, Ohio 45469