How To Shop Securely During Black Friday & Cyber Monday

‘Tis the season for online shopping. Unfortunately, it’s also the season for holiday scams. With Black Friday and Cyber Monday deals right around the corner, it’s important to know what to look for when shopping for the perfect gift. Here are some tips so you don’t get Scrooged:

Pay with a secure method. Using a credit card provides extra protection for online purchases. Under the Fair Credit Billing Act (FCBA), credit card holders are allowed to dispute fraudulent charges, whereas with a debit card, the money comes directly out of a checking account. Remember to check your bank statements regularly for any unauthorized payments.

Research the seller. Before checking out, verify that the business is legitimate. Search the company’s name online, plus “scam,” to read what others are saying. If you’re unsure, check with the state attorney general or the local consumer protection agency to see if there are any filed complaints.

Don’t fall for fake ads. Fake advertisements lurk on legitimate platforms, including email, social media, and search engines. Think twice before clicking on ads. Go directly to the business’s website to verify that the offer is real.

For more cybersecurity tips, visit https://security.ufl.edu/.

The Cost of Phishing: Money, Time, Personal Files

“I should have recognized the red flags. I thought it was easy to avoid phishing emails, but I was wrong. I should have taken the email more seriously, and I had to try to get my account back and missed a test. Thankfully, that’s the only thing I missed.”

When it comes to phishing, it’s possible to lose everything in one click, but you’ll never understand the consequences until it happens to you. In UFIT’s video, three students share real stories from victims of cybercrime.

These examples show what could happen after falling for a phish, from locking you out of your computer to rerouting financial aid money to a cybercriminal’s bank account. But the impacts aren’t limited to one person. One incident is all it takes to shut down UF systems or expose student records, research data, and patient information. With so much at stake, it’s important for everyone at UF to remain skeptical of what arrives in their inbox.

The UF Information Security Office has more information about phishing on its website. You can also participate in the Secure the Swamp! online scavenger hunt from October 25-29 to sharpen your cybersecurity skills.

Secure the Swamp Online Scavenger Hunt

October 2021 marks the 18th year of Cybersecurity Awareness Month. With the increasing threat of cyberattacks to universities around the world, information security is more timely than ever. UF participates in the initiative every year to empower students, faculty, and staff to own their role in protecting themselves and the university.

This year’s campaign is centered on a “Secure the Swamp!” online scavenger hunt. Each week in October, UFIT will share tips on social media focusing on three themes: phishing, securing your remote work environment, and mobile device security. Students and employees can then test their cybersecurity knowledge by answering four questions on these topics. The hunt begins on Monday, October 25, at 8 a.m. and ends Friday, October 29, at 5 p.m. Participants will have the opportunity to win an exclusive “Secure the Swamp!” T-shirt.

Remember, the UF Information Security Office can’t protect UF by itself. It’s our shared responsibility to keep the university’s data and systems secure. Visit https://security.ufl.edu/ to participate in the scavenger hunt and find more resources. Also, follow UFIT on Twitter (@GoGatorsUFIT), Facebook (@GoGators.UFIT), Instagram (@gogators_ufit), and YouTube (/GoGatorsUFIT) for some clues!

Campus-Wide Message: Ransomware and Phishing

Vice President and CIO Elias Eldayrie emailed all UF faculty, students, and staff this morning with facts about ransomware and phishing. Eldayrie also listed some key success indicators for securing campus, like a decrease in compromised accounts and the increase in reporting potential phishing emails, made possible because of the campus’s buy-in and involvement on cybersecurity issues. The statistics Eldayrie shared are:

Unauthorized Account Usage
Since implementation of multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts
Phishing
Since installation of the phish alert button into GatorMail, faculty, students, and staff have reported more than 14,500 suspicious emails, leading to fewer successful phishing attempts
IT Security Risks
Since launching the new risk assessment process in 2016, 5,200+ risk assessments have been submitted by faculty and staff prior to technology purchase, allowing for review of security gaps and risk

UFIT engages in year-round training and outreach to help UF better understand information security risks, like what to look for before clicking on links in emails–especially those with the [External Email] banner. President Fuchs also recorded a video about ransomware and phishing to support outreach efforts. View the President’s video here.

Additional resources to help our campus community securely teach, learn, research, and conduct university business are listed on https://security.ufl.edu/resources/.

UF’s Cyber Security Framework Program

UF’s Information Security Office, in partnership with the Office of Internal Audit and Office of Compliance and Ethics Program, introduced the Cyber Security Framework Program (UFCSF) on July 1. Planned and implemented in response to an audit sponsored by Florida’s Board of Governors, the Cyber Security Framework Program heightens UF’s ability to identify, protect, detect, respond, and ultimately recover from cybersecurity incidents.

The Cyber Security Framework program will provide a high-level view of the operational maturity of units across campus, which are then rolled up into a university-wide maturity rating. This information collected will be used to:

Develop a unified view of the university’s information security environment
Discover gaps in enterprise cybersecurity processes and technology
Create university-wide solutions that reduce risk and increase cybersecurity maturity

The UFCSF program is modeled on the National Institute of Standards and Technology cybersecurity framework and tailored for the university’s OneIT model. Surveys are now being sent quarterly to UF’s 16 colleges and administrative units to evaluate their current processes for protecting computing assets and data, and for assessing risk. More information on the UF’s Cyber Security Framework program is online. Anyone with questions may email the UFCSF program team.

Install Patches [Updates] To Your Devices

Whether you are a faculty member, student, or staff, inevitably you’ve worked more from home in the past 16 months than ever before. If you use a personally-owned laptop or PC not managed by UF technical staff, chances are your device(s) aren’t up to date. Outdated devices allow cybercriminals to exploit bugs, so it’s important to secure them. There is an easy way to protect personally-owned devices and the data on them: patching.

A patch, also called an update or software update depending on the device manufacturer, is released to fix security vulnerabilities and other bugs. Applying the update as soon as it’s released is important, because they are often in response to a known vulnerability or virus. Updates not only improve the security of your device, but often provide additional functionality, usability, or performance of features. All software has bugs, and manufacturers constantly identify and patch these–just as cybercriminals constantly look for bugs they can use to attack devices and steal data.

A good way to stay current with patches is to enable automatic updates. Read item #1 on https://security.ufl.edu/resources/protect-your-computer/ for simple instructions to enable automatic updates on Mac and Windows devices. Another good tip: Reboot your laptop, smartphone, PC, and other devices each week, rather than just closing the lid or logging off. Completely shutting down and restarting devices helps to install and apply updates. You can learn more tips on the Information Security Office website.

Fake Emails from “UF Faculty” Targeting Students

Students are reporting suspicious emails in their Gmail or other non-UF inboxes, claiming to be from instructors. These phishing scams enable cybercriminals posing as faculty to convince students to deposit fake checks or send gift cards. Because students often handle email on their phones–where full email addresses are obscured–it isn’t immediately apparent that the email is a phish.

Impostor emails attempt to lure students with high-paying job opportunities and often come from faculty members the student doesn’t know. Cybercriminals can find enough information online to impersonate faculty without having to hack into their UF account. The proliferation of these scams is a great reminder to always be cautious when clicking on any email, no matter who they seem to come from.

Remember:
1. Even if a phishing email doesn’t include a malicious link or attachment, it’s still just as dangerous if you respond.
2. The [External Email] tag will appear in the body of emails originating from outside the university, alerting you that it may well be malicious.

If you think an email in your Gmail or non-UF inbox is a phish, forward the message as an attachment to abuse@ufl.edu.

Cybercriminals Target UF International Community

UF’s 5,712 international students, along with our international faculty and staff population, are prime targets for criminals who want to leverage their immigration status to steal money and sensitive data.

The UF International Center (UFIC) reported several cases of phishing emails and phone calls from cybercriminals posing as representatives of the U.S. Department of Homeland Security or U.S. Immigration and Customs Enforcement. Scams include threats of deportation, visa revocation, or phony visa lottery acceptances. The fake messages are schemes to solicit money or sensitive information (e.g. Social Security numbers, credit card information, etc.).

“We cannot emphasize enough how important it is for our international students to be aware of scams and phishing attempts that can impact their legal status, identity, and financial future,” said Debra Anderson, director of International Student Support Services for UFIC.

Everyone, regardless of visa status, should think twice before automatically clicking on an email attachment. U.S. government agencies never demand immediate payment over the phone or via email. In fact, contact with U.S. agencies involved in immigration issues always starts with a letter, not a phone call or an email. If you think an email in your GatorMail is suspicious, report it with the Phish Alert Button so UF’s Information Security Office can investigate further.

Securely Disposing of UF Records and Media

The secure destruction of paper, electronic records, and media containing restricted data is required at the University of Florida. Failure to properly dispose of documents and media, such as hard drives, USBs, and CDs, that hold restricted data can cause significant risk to UF and its faculty, students, and staff.

UF’s process for disposal of records is clearly articulated to ensure compliance. Faculty and staff should know that different media types (e.g., paper, CD, files stored on encrypted hard drives, etc.) have different destruction methods. The Securely Deleting Electronic and Paper Records webpage includes a chart with a complete list of media types and disposal methods. If your department is moving or has a need to dispose of a significant volume of paper files, UF Procurement Services offers bulk-shredding services for university records as well as media that is required to be destroyed.

Anyone with questions about working with, or the process for deleting electronic and paper records that contain restricted data, may email the UF Information Security Office.

Protecting UF: Mandatory Information Security Training

In 2019, audits were conducted of the state’s 12 public universities. The report recommended that the University of Florida enhance its existing information security awareness program with mandatory annual faculty and staff training. This summer, UFIT developed a new training program to meet the Florida Board of Governors recommendation.

“Protecting UF: Information Security Training” consists of four modules: phishing awareness, restricted data, cloud and sharing tools, and general safeguards. Training takes approximately 30-40 minutes to complete and is mandatory for faculty and staff. Emails will deploy from the myTraining portal in the next few days notifying the UF community that training is available. Training must be completed by the close of the fall 2020 semester, with the annual reminder date for re-certification based upon the initial completion date. As part of the Protecting UF program, in January all enrolled students will see a “to do” reminder in ONE.UF to take the phishing awareness training.

This effort is part of a larger program to inform the UF community on how to protect teaching, learning, research, and online activities. Please visit the Information Security Office website for additional information on this training and other security topics.