Security Awareness

Applies to: All Students and Employees

Questions? Email techsupport@pennwest.edu

Beware of Phishing Scams

What is Phishing?

Phishing is a type of deception designed to steal your identity. In a phishing scam, a malicious person tries to get information like credit card numbers, passwords, account information, or other personal information from you by convincing you to give it to them under false pretenses. Phishing schemes usually come via spam, email, or pop-up windows.

How Does Phishing Work?

A phishing scam begins with a malicious user who sends out millions of fraudulent email messages that appear to come from popular websites or from sites that you trust, like your bank or credit card company. The email messages and websites they often send look official enough that they deceive many people into believing that they are legitimate. Believing that these emails are legitimate, unsuspecting people too often respond to the email's requests for their credit card numbers, passwords, account information, or other personal information.

A scam artist might put a link in a fake email that appears to go to the legitimate website, but actually takes you to a scam site or even a pop-up window that looks exactly like the official site. These copies are often called spoofed websites. Once you are at one of these spoofed sites or pop-up windows, you might unwittingly enter even more personal information that will be transmitted directly to the person who created the spoofed site. That person can then use this information to purchase goods, apply for a new credit card, or steal your identity.

6 Way to Protect Yourself from Phishing

Never respond to requests for personal information via email - Legitimate organizations will never ask for passwords, credit card numbers, or other personal information in an email. If you do receive an email requesting this kind of information, DO NOT RESPOND, DO NOT REPLY, DO NOT CLICK ON LINKS OR IMAGES, and DO NOT OPEN ANY ATTACHMENTS with the message. If you think the email is legitimate, contact the company by phone or through their website to confirm. See (#2) for the best ways to get a website if you think you've been targeted by a phishing scam.

You can get more information about phishing and see some example messages at Microsoft Safety & Security Center. You can also see actual phishing examples sent to PennWest University.

Visit websites by typing the URL into your address bar - If you suspect that an email from your credit card company, bank, online payment service, or other websites you do business with is not legitimate, do not follow the links to the website from an email message. Those links may take you to a spoofed site that might send all the information you enter to the scam artist who created the site.

Classic examples are phishing emails that claim to come from eBay or PayPal. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). So beware of IMITATION WEBSITES!

Check to make sure the website is using encryption - If you can't trust a website by the address bar, how do you know it's likely to be secure? There are a few different ways. First, before you enter any personal information, check to see if the website uses encryption to transmit your personal information. In Internet Explorer you can do this by checking the yellow lock icon on the status bar. If the lock is closed, then the site uses encryption. This symbol signifies that the website uses encryption to help protect any sensitive personal information, credit card number, payment details that you enter.

Double-click the lock icon to display the security certificate for the site. The name following Issued to: should match the site you are on. If the name differs, you may be on a spoofed site. If you are not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave the website.

Routinely review your credit card and bank statements - Review credit card and bank statements as soon as you receive them to check for unauthorized charges.

Report suspected abuses of your personal information to the proper authorities - If you feel you have been a victim of a phishing scam, you should immediately report the scam to the company that's being spoofed. If you are unsure how to contact the company, visit the company's website to get the correct contact information. The company may have a special email address to report such abuse. Remember not to follow any links in the phishing email you received. You should type the known website address for the company directly into the address bar in your internet browser.

Use anti-virus software and maintain security settings on your computer - See the Safe Computing - Protect Your PC for additional details.

Phishing Examples

The following screen captures are from example Phishing emails. The red flag icons display warnings that each message was a scam.

‍
Example 1: OneDrive

‍

Example 2: OneDrive

‍

Example 3: Current Events Scam

Example 4: Social Media Notification Scam

Secure Your Personal Computer

TO CREATE AND MAINTAIN A SAFE COMPUTING ENVIRONMENT ON YOUR PERSONAL COMPUTER, BE SURE TO...

Update your Operating System

Update your Operating System
Update your Web Browsers
Use anti-virus software and keep virus definitions up-to-date.
Follow the principle of least privilege. Setup a local computer account for every day use and only use an administrator account when you need to perform specific tasks. See this Windows Central article for additional information,
Backup your files on a regular basis.

Note: the information provided here was developed to assist home users with personally owned computers.

‍

Other General Security Considerations With Your Personal Computer Usage:

Back up your data - A simple basic backup plan is to plug a good-sized, formatted blank thumb drive (or USB stick) into your computer. Double click on it and open a directory. As you work on your latest project and it comes time to take a break, save your work, close those crucial files, and drag a copy of them into the directory on the thumb drive. The more important your project is and the closer you get to the deadline, the more often you should pause to make a copy of your crucial files. The more often you backup, the less you stand to lose. After you have made a backup by whatever means, check to make sure the copies are complete and that they work. At the office, check with IT about using a thumb drive - some organizations do not allow them.
Use email wisely - Email is not private. Never send personal or sensitive information by email. Never view, open, or even click on email attachments unless you know who sent it, why they sent it, and what's in it. Even messages forwarded to you by friends might contain infected attachment and links that will shuttle you off to dangerous websites.
Use email wisely - Email is not private. Never send personal or sensitive information by email. Never view, open, or even click on email attachments unless you know who sent it, why they sent it, and what's in it. Even messages forwarded to you by friends might contain infected attachment and links that will shuttle you off to dangerous websites.
Regard the Internet as a bad neighborhood at 2 am - In 2008 about 1.5 billion people using the Internet worldwide and the number of websites approached 200,000,000. With that many apples in the barrel, it's anyone's guess how many are rotten. The steady growth of web commerce attracts not only ordinary scammers, pirates, and thieves, but also national and multi-national organized crime syndicates. Criminal activity for financial gain is the single largest driver of massive increases in Internet threats and bringing Internet criminals to justice remains a challenging task. Practice on-line safety. Protect your privacy, your identity, and your money.
Ratchet up your browser's security - Malicious hackers and virus writers can infect your computer by taking advantage of low security settings in your browser software and enticing you to visit a malicious website. You can help limit your chances of being attacked by increasing your security settings and conducting business or entering sensitive information only on secure websites. Look for addresses that begin with https:// and check for the yellow security lock icon at the bottom of your browser window.
Protect sensitive information, especially when you use a public computer - It's best to avoid typing your credit card number or other financial or sensitive information into any public computer, but sometimes you can't avoid it. Don't save your log-on information. Don't leave a public computer unattended with sensitive information on the screen. Web browsers keep a record of your passwords and every page you visit, even after you've closed them and logged out. Learn how to erase your tracks. Watch for over-the-shoulder snoops.
Be careful with wireless network - Secure your own wireless network by enabling and using wireless encryption that scrambles the data transmitted between your PC and your wireless router. Check your WAP (wireless access point) to find out what kinds of encryption it can provide. Out of the box, the encryption on most WAP's will be shut off. The most effective encryption is WPA2 (Wireless Protected Access version 2). Use a strong password for your WPA2 encryption key. Before you connect to someone else's wireless network, make sure it's a legitimate hotspot: Nefarious types have been known to set up pirate WAP's with familiar names like "wayport" or "t-mobile", and then use them to capture passwords and other private data. Verify that your two-way software firewall is turned on and that filesharing is off. Always turn your Wi-Fi networking off when you're not at a hotspot.

Safe Computing

Protect your personal information, prevent identify theft, and secure your computer and data...follow these Safe Computing practices...

Protect Your Personal Information

Never disclose personal information and passwords via email, beware of Scam Attempts.
You should NEVER provide your password or other sensitive information to someone via email and you should NEVER follow web links in a suspicious message!

Please note that PennWest University will NEVER ask you to send or verify your password information via email! We are continuing to receive reports about password scam attempts being sent to PennWest accounts. You should NEVER provide your password or other sensitive information to someone via email. If in doubt, use caution and DO NOT REPLY. DO NOT OPEN ATTACHMENTS, and DO NOT FOLLOW LINKS IN A SUSPICIOUS MESSAGE.

Please protect your personal information - be suspicious when you receive unsolicited emails or phone calls. Watch out for emails claiming to be from universities, retailers, banks, or government agencies that threaten to close accounts or require you to "confirm" personal information.

Choose Effective Password

Passwords are the key to accessing many services. Passwords are one of the most important fundamental safeguards to protecting your information. Unfortunately, passwords are also one of the top reasons for security compromises due to the selection of weak passwords or the careless disclosure of password details.

Here are some important password practices:

DO NOT SHARE OR REVEAL YOUR PASSWORD to others. NEVER send your password via email. Review our Protecting Your Personal Information procedures. Memorize your password - do not write it down.
CHOOSE STRONG PASSWORDS - use a mix of numbers, letters, and special characters to create a strong hard-to-crack passwords. Do not use dictionary words, your name, or other personally identifiable information (family names, ID or phone numbers). See our Creating Strong Passwords Tip Sheet for additional information. (login required)
VARY YOUR PASSWORDS - do not use the same password for your PennWest accounts and other personal accounts (Facebook, Google, banking, etc.).
CHANGE YOUR PASSWORD ON A REGULAR BASIS - at least every 90 days.

Please see the following sources for tips and additional information on creating effective passwords:

Secure Your Mobile Device

Mobile devices, like smart phones, tablets, iPads, laptops, and netbook computers allow us to stay connected when we are "on the go". Here are a few tips for using your mobile device safely.

Public Access Wi-Fi Networks - Your data is not safe when you use a public Wi-Fi network (any wireless network that allows you to join without a password or with a common password). Almost anything that goes across your screen can be seen by those around you. This includes those who may look over your shoulder, as well as anyone who may be "sniffing" network traffic. Someone "sniffing" network traffic can acquire any username or password that you may use or any data that you send over the Internet, compromising your safety and security.
Be cautious about the site you visit and the information you release, especially when you are online through an unsecured or unprotected network.
Get savvy about Wi-Fi hotspots: limit the type of business you conduct and adjust the security settings on your device to limit who can access your phone.
Protect your $$$! When banking and shopping, check to be sure the site has security enabled. Look at the web address and make sure you see https:// in the URL. The 's' means it's a secure, if it just says http:// then it's NOT secure.
Disable the geotagging feature on your phone.
Use a personal firewall when on an untrusted network (e.g., cafe, hotel, or conference center). Set the firewall to deny ALL incoming connections.
Protect your mobile device from viruses and other threats - Just like your desktop computer, smart phones, and other mobile devices can get infected with viruses and malware. Most mobile devices have free or inexpensive software that can protect them from these threats. Search your devices app store for "antivirus" to see what's available.
Protect your device with a password or PIN - Most mobile devices have the ability to require a password or PIN to use the device. This is recommended if you use your device to send and receive university email.

Setup a PIN on an Apple device

Android password instructions

Texting and SPAM - Just like you need to use email responsibly, you should also protect your cell phone number. Spammers, identity thieves, predators and cyber bullies also use cell phone text messages to inflict harm.

Keep your cell phone number private and only give it to people you know and trust. Be careful about where you post your number, including your Facebook profile or other social sites.
Never reply to text messages from people that you don't know.
Be suspicious of URL's sent to you in unsolicited text messages or from individuals you do not know. For example, attackers may send you a text message claiming that there is a problem with your account. If you visit the website they send you, they may lure you into providing personal information or downloading a malicious file.
Be careful of meeting someone face-to-face if you only "know" them through texting. They may not be truthful with you. Let someone else know where you are going, take someone with you, or arrange to meet in a public place during the day time.

Beware of Imitation Sets

Scammers will try to get you to go to websites that look legitimate, but are actually traps. You should always verify the authenticity of the websites you visit, particularly banking and credit card websites.

Tips to Prevent Identity Theft

The time between Thanksgiving and Christmas is the biggest shopping season of the year. As we enter the holiday season, we would like to remind everyone to take additional precautions against identity theft.

Here are some tips for keeping your credit card, account, and identity secure during the holiday season:

During a transaction keep an eye on your credit card and get it back as quickly as possible. Double swiping of credit cards into a 2nd device that makes a copy is a prevalent way of stealing card info.

Using an ATM?‍

Cover the keypad while entering your pin.‍

Shopping online?

Stick to sites that have a trustworthy reputation.

Look for Safety Symbols to assure only you and the merchant can view your payment data. Safety symbols include:

the padlock icon in your browser’s status bar“s” symbol after “http” in the URL
the words “Secure Sockets Layer (SSL).”

Make sure that your computer has a firewall installed and run up-to-date anti-virus and anti-spyware software.

Keep your computer current with the latest operating system and web browser updates and patches.

Create strong passwords for sites.

Never respond to suspicious emails or click on links inside suspicious messages. If an offer sounds too good to be true, it probably is.

Do not reply to an email, text, or pop-up that asks for personal or financial information.

Never email your credit card number to anyone.

Report lost or stolen credit cards immediately. Many companies have toll-free numbers and 24-hour service to deal with such emergencies. Sign the new or replacement card as soon as you receive it.

Verify a source before sharing information. Do not give out personal information on the phone, through the mail, or on the Internet unless you have initiated the contact and are sure you know with whom you are dealing.

‍