Category: Information Security

Social Engineering Pages Added to Website

Posted on

UFIT recently added new pages to https://security.ufl.edu/ that educate about social engineering scams. The university community is a huge target for social engineering attacks–attacks that include phishing and smishing. By reviewing the social engineering webpages, Gators can learn the difference between everyday communications and an actual social engineering attack.

https://security.ufl.edu/resources/protect-my/socialengineering/

Received a text recently saying your UF email account will be suspended if you don’t certify your account via the link provided? Smish! UFIT has tracked significant growth in social engineering attempts like this in the past year. Social engineering attempts range from fake bank texts and “extended warranty” phone calls to emails pretending to be from UF professors offering $350 per week jobs. Having a large community on one network is extremely attractive for cyber-scammers. So, helping all Gators better understand which communications are legitimate and which are fraudulent keeps all us safer from attacks.

It only takes one click on a malicious link to cause a world of hurt. Learn to recognize social engineering tactics and help secure UF! If you are unsure whether an email or text purporting to be from UF is legitimate, you can always ask the UFIT Help Desk for assistance.

Learn the UF Risk Assessment Process

Posted on

UFIT is now offering integrated risk management (IRM) system training. The course focuses on the IRM process and responsibilities of system submitters, project owners, and the information security manager or technical contact listed on the assessment request. Log into myTraining and search for UF_ITT104_OLT to take the training.

Development of this training is in response to requests from information security managers and department staff who work with UFIT on risk assessments. The IRM training takes approximately 45 minutes to one hour to complete. Note that completing UF_ITT104_OLT will soon become mandatory in order to maintain either the UF_SEC_TECHCONTACT or UF_SEC_ISM security roles.

UFIT recommends all IT staff involved in university risk assessments take the training. For more information visit https://irm.ufl.edu/. Anyone with questions about the integrated risk management process may email the IRM team at irm-uf@ufl.edu.

Understanding Social Engineering

Posted on

Social engineering is the term for exploiting human psychology, rather than traditional hacking techniques, to gain access to buildings, systems, devices, or data. For example, a social engineer might call a UF phone number and pose as an IT support person, trying to trick the employee into divulging passwords. David Maurer in The Big Con writes of 1940s confidence [con] men and how they gained the trust of victims. It’s the same in the 2020s: social engineers want to seem believable whether by email, phone call, text, or in person–they gain the victim’s trust to get what they want. Two types of social engineering techniques are employment scams and tailgaiting:

1. Employment scams are plentiful, and many, if not most, students have received an email advertising a 10 hour per week campus job earning $350 per week. Think twice before clicking on the links in an email advertising a job you didn’t inquire about.
2. Tailgating is when someone enlists your help to gain unauthorized building access. An example is when a person with an armful of packages asks you to open the door with your UFID card since they can’t reach theirs. You naturally want to be helpful, but someone now has access they shouldn’t.

UFIT is launching an updated social engineering webpage this spring. In the meantime, if you suspect an email you receive in your GatorMail may be phishing, report it to abuse@ufl.edu. And remember, Gators…be aware of who you are letting access UF residence halls, academic buildings, and other secure campus spaces.

Tech Resolutions For a Safer 2022

Posted on

Staying cyber secure is a great new year resolution that won’t have you counting calories or committing to more exercise!  By adopting some of the resolutions below, the UF community can make a huge difference to their overall cybersecurity safety (also known as your “security posture”).  Enhance your cyber footprint security by:

  1. Changing compromised passwords and creating different passwords for each account. Check for compromised passwords at https://haveibeenpwned.com.
  2. Activating multi-factor authentication (MFA) on critical accounts like email, banking, and social media. Find which sites you use support MFA by visiting https://2fa.directory.
  3. Deleting old social media accounts and other accounts you no longer use.
  4. Reviewing privacy and security settings annually on social media accounts and other sites at least once a year.
  5. Removing unused apps from mobile devices. Unused apps are like unused accounts–they store information that can be used against you if they’re compromised.
  6. Creating a guest network for visitors to your home. If you have smart devices like Ring or Nest, consider creating a guest network for those items. Then if the smart devices get compromised, your home network will still be protected.
  7. Thoroughly delete (“wipe”) all electronic devices before donating or disposing, or have them shredded by a trusted vendor. UF Surplus manages the secure disposal of electronic media and electronic waste of university technology.

For more ways to be cybersafe in 2022,  check out the email safety and computer protection boxes on UF’s Information Security Office website homepage.

Threat to Suspend Your Social Security Number is a SCAM

Posted on

Con artists pretending to be with the Social Security Administration (SSA) are utilizing email, text messages, and phone calls to scare people into providing money and/or personal information. Remember: The SSA will never threaten, scare, or pressure you to take an immediate action.

It is a SCAM if someone…
● Warns of imminent arrest or legal action
● Requests payment by gift card, prepaid debit card, internet currency, or mailing cash
● Pressures you for personal information
● Requests secrecy
● Threatens to seize your bank account
● Promises to increase your Social Security benefit
● Says they have evidence against you, or uses the name of a real SSA official

How to protect yourself from Social Security-related scams:
1. Stay calm. Do not provide money or personal information when you feel pressured, threatened, or scared.
2. Hang up on the caller or ignore the text or email.
3. Report Social Security-related scams. If you receive a suspicious call, text, or email that mentions Social Security, report it to the SSA Office of the Inspector General (OIG). Do not be embarrassed if you shared personal information or suffered a financial loss.

UF’s Information Security Office has an Identity Thefts and Scams webpage where you can learn more about the techniques used by cyber criminals.

Safe Travel is Smart Travel: Cyber Vigilance

Posted on

As flights and hotel bookings surge past pre-pandemic levels, travelers should prepare for a busy holiday season. Crowded airports can be an early holiday gift for identity thieves. Don’t let the chaos of the airport allow you to let your guard down. Gators, remember while traveling over the break period to:

Avoid public Wi-Fi. If you must use free Wi-Fi in airports, cafes, or in hotels, use a VPN to connect. Also, double-check the network’s name (SSID) before connecting. You could unknowingly connect to a spoofed network or someone else’s hotspot, which means what you type could be seen and copied by others.

Beware of vacation rental scams. While perusing Airbnb or Craigslist for a rental, be alert to an offer that’s too good to pass up. Before booking an accommodation online, research the address, owner’s name, and if the property reviews go back more than a few weeks. Check for multiple ways to contact the owner.

Disable auto-connect features. Most phones enable automatic connections for Wi-Fi, Bluetooth, and location services. These features allow others to track your location or send malicious files to your device. Keep these settings disabled when you are not using them!

Visit https://security.ufl.edu/resources/traveling-abroad/ for more cyber tips for travelers.

How To Shop Securely During Black Friday & Cyber Monday

Posted on

‘Tis the season for online shopping. Unfortunately, it’s also the season for holiday scams. With Black Friday and Cyber Monday deals right around the corner, it’s important to know what to look for when shopping for the perfect gift. Here are some tips so you don’t get Scrooged:

Pay with a secure method. Using a credit card provides extra protection for online purchases. Under the Fair Credit Billing Act (FCBA), credit card holders are allowed to dispute fraudulent charges, whereas with a debit card, the money comes directly out of a checking account. Remember to check your bank statements regularly for any unauthorized payments.

Research the seller. Before checking out, verify that the business is legitimate. Search the company’s name online, plus “scam,” to read what others are saying. If you’re unsure, check with the state attorney general or the local consumer protection agency to see if there are any filed complaints.

Don’t fall for fake ads. Fake advertisements lurk on legitimate platforms, including email, social media, and search engines. Think twice before clicking on ads. Go directly to the business’s website to verify that the offer is real.

For more cybersecurity tips, visit https://security.ufl.edu/.

The Cost of Phishing: Money, Time, Personal Files

Posted on

“I should have recognized the red flags. I thought it was easy to avoid phishing emails, but I was wrong. I should have taken the email more seriously, and I had to try to get my account back and missed a test. Thankfully, that’s the only thing I missed.”

When it comes to phishing, it’s possible to lose everything in one click, but you’ll never understand the consequences until it happens to you. In UFIT’s video, three students share real stories from victims of cybercrime.

These examples show what could happen after falling for a phish, from locking you out of your computer to rerouting financial aid money to a cybercriminal’s bank account. But the impacts aren’t limited to one person. One incident is all it takes to shut down UF systems or expose student records, research data, and patient information. With so much at stake, it’s important for everyone at UF to remain skeptical of what arrives in their inbox.

The UF Information Security Office has more information about phishing on its website. You can also participate in the Secure the Swamp! online scavenger hunt from October 25-29 to sharpen your cybersecurity skills.

Secure the Swamp Online Scavenger Hunt

Posted on

October 2021 marks the 18th year of Cybersecurity Awareness Month. With the increasing threat of cyberattacks to universities around the world, information security is more timely than ever. UF participates in the initiative every year to empower students, faculty, and staff to own their role in protecting themselves and the university.

This year’s campaign is centered on a “Secure the Swamp!” online scavenger hunt. Each week in October, UFIT will share tips on social media focusing on three themes: phishing, securing your remote work environment, and mobile device security. Students and employees can then test their cybersecurity knowledge by answering four questions on these topics. The hunt begins on Monday, October 25, at 8 a.m. and ends Friday, October 29, at 5 p.m. Participants will have the opportunity to win an exclusive “Secure the Swamp!” T-shirt.

Remember, the UF Information Security Office can’t protect UF by itself. It’s our shared responsibility to keep the university’s data and systems secure. Visit https://security.ufl.edu/ to participate in the scavenger hunt and find more resources. Also, follow UFIT on Twitter (@GoGatorsUFIT), Facebook (@GoGators.UFIT), Instagram (@gogators_ufit), and YouTube (/GoGatorsUFIT) for some clues!