Information for Faculty and Staff

Learn how to secure your data by exploring these cybersecurity topics.

Phishing 

Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website.

Phishing is most common type of cyber-attack in Education, responsible for more than 90 percent of security breaches. No cybersecurity solution can block 100 percent of attacks.

To help protect yourself and FSU from Phishing attacks here are 7 items to keep in mind when you receive a suspicious e-mail.

  1. Email Addresses Can Be Spoofed

    Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails.
  2. Subject Lines and Emails Often Include Enticing or Threatening Language

    Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond to emails that indicate potential financial loss or that could result in personal or financial gain.
    ITS will never send an anonymous email asking you to urgently click on a link. ITS also does not facilitate its vendors or business partners to email the FSU user community directly with urgent announcements.
  3. A Personalized Message is Not a Sign of Legitimacy

    Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage. A personalized email is not a sign of a legitimate email.
  4. Phishing Messages Often Have Errors in the Body of the E-mail

    Employees need to read their emails carefully, not just skim them. You should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable.
  5. Links Aren’t Always What They Seem

    Every phishing email includes a link, but phishing links are deceptive. Make sure you hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack. Be especially cautious of URLs that end in alternative domain names instead of .com or .org.
  6. Phishing Links Can Be Sent via Attachment

    All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email.
  7. Hackers Use Real Brand Images and Logos in Phishing Emails

    Brand logos and trademarks are no guarantee that an email is real. Images are public and can be downloaded from the internet or easily replicated.

PHISHING EMAILS—WHAT TO DO IF YOU FALL VICTIM

Phishing messages become more commonplace and sophisticated with each passing year as a result of our heavy use of email and technology in everyday life. Near the beginning of the calendar year in particular, scammers tend to increase their efforts to obtain confidential information in order to file fraudulent tax returns. Regardless of when it may happen, it's all too easy for us to fall victim to these scams, however, it's critically important to take action as soon as possible.

Next Steps

If you have inadvertently fallen prey to a phishing message and provided your Framingham credentials after clicking on a malicious link, you should immediately do the following:

  • Reset your FSU password as soon as possible by following the instructions here.
  • Run an antivirus scan on your device.
  • Notify the Help Desk if you haven't already done so so that IT is aware of what happened and can help watch for suspicious activity associated with your account.
  • Don't be ashamed! These messages are constantly changing, so help others stay aware and avoid phishing emails/scams by sharing how this particular message tripped you up and what you've learned to watch out for in the future.

If you have inadvertently fallen prey to a phishing message and provided personally identifiable information such as your social security number, you may become the victim of identity theft: 

The Federal Trade Commission has resources for victims of identity theft to create recovery plans and take active steps toward minimizing the impact and repairing any damage.

  • Reset your FSU password as soon as possible by following the instructions here.
  • Visit www.identitytheft.gov
  • Create a recovery plan by:
    • Using their guided assistant feature, or
    • Reviewing their complete list of possible recovery steps
  • Execute the recovery plan
  • Notify the Help Desk if you haven't already done so so that IT is aware of what happened and can help watch for suspicious activity associated with your account
  • Don't be ashamed! These messages are constantly changing, so help others stay aware and avoid phishing emails/scams by sharing how this particular message tripped you up and what you've learned to watch out for in the future.

Some of the possible steps included in a recovery plan could include, but are not limited to:

  • Consider filing a complaint with the FTC
  • Review the IRS Guide to Identity Theft: https://www.irs.gov/uac/taxpayer-guide-to-identity-theft
  • Contact one of the three major credit bureaus to place a ‘fraud alert’ on your credit records:
  • Contact your financial institutions and ask them to review your accounts with you.
  • If your SSN is compromised and you know or suspect you are a victim of tax-related identity theft, the IRS recommends these additional steps:
    • Respond immediately to any IRS notice; call the number provided or, if instructed, go to IDVerify.irs.gov.
    • Complete IRS Form 14039, Identity Theft Affidavit, if your e-filed return rejects because of a duplicate filing under your SSN or if you are instructed to do so. Use a fillable form at IRS.gov, print, then attach the form to your return and mail according to instructions.

Personal info is like money: Value it. Protect it.

Information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions.

Lockdown your login.
Your usernames and passwords are not enough to protect key accounts like email, banking, and social media. Choose one account and turn on the strongest authentication tools available, such as biometrics, security keys or a unique one-time code sent to your mobile device.

If you collect it, protect it.
Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.

Build trust by doing what you say you will do.
Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.

Create a culture of privacy in your organization.
Educate your colleagues on the importance and impact of protecting student and employee information as well as the role they play in keeping it safe.

Ransomware 

Ransomware is a type of malicious software (a.k.a malware) that locks the victim out of their computer or files – often by encrypting them – until a ransom is paid. The ransomware typically displays a message letting the victim know that they have been locked out, along with instructions for how much and how to pay.

Recent ransomware attacks have caused high-profile business shutdowns. Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network.

Ransomware is often spread through the use of stolen credentials, malicious links, and harmful attachments in email; however, this is not the only mechanism. Other sources include malicious applications and files, and adware/spyware.

It is important to note that paying the ransom doesn’t necessarily guarantee that you’ll get access to your computer or files back. In fact, a couple of recent, high-profile cyber-attacks, dubbed “WannaCry” and “Petya”, even posed as ransomware to distract people from the real attack, but in those cases, there was no way for people to get their files back by paying the ransom. The FBI and law enforcement advise never paying the ransom.

HOW TO PROTECT YOURSELF:
The following good cybersecurity habits will help to protect you from ransomware, and many other cyber threats as well:

1. Back up critical files, and store the backups in a physically separate location from the originals. This is probably the best protection against ransomware. If your files are backed up, you can get technical assistance to restore everything back to your computer and you won’t lose anything important. Remember to test your backups periodically -- backups are useless if they don’t work.

2. Always think twice before clicking on links or opening attachments., even if they look like they're from someone you know. Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message. If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it. This small extra effort is one of the best ways to keep your devices and information safe.

3. Keep a clean machine! Keep your devices, apps and browsers patched and up to date. Recent attacks have taken advantage of unpatched/out-of-date operating systems.

4. Protect your passwords, and use multi-factor authentication wherever possible. Also, use different passwords for work and non-work activities.

5. If it’s suspicious, report it! This is an important habit in general; if something doesn’t seem right, ask. With respect to ransomware, if you think a device or files you use for work have been infected with ransomware, report it to your supervisor and whomever you report security issues to at your location. If this happens to you at home, notify law enforcement.

WHAT SHOULD YOU DO IF YOU GET RANSOMWARE?
Most importantly, don’t panic. If you have good backups, you’re probably OK with some technical assistance. As mentioned above, report the incident so you can get help.

Working Securely from a Remote Location

In this article:

  1. Use a separate login account
  2. Connect to campus with the Virtual Private Network
  3. Secure your home wireless network
  4. Keep your computer secure

University data stored on a computer you use remotely, whether the computer is owned by you or the university, is subject to the same policies as data located on campus. Per University policy, you are the custodian responsible for all University data on any computer you use. 

It is your responsibility to know what types of University data you have on the devices you use whether at work or at home and to take steps to protect it.

Use a separate login account

If using a personal device for conducting University business, if other members of your household use the same computer, create a separate login account for your University work and data, with a strong password that only you know. Using a separate login ensures other users on your computer cannot view or access University documents.

Connect to campus with the Virtual Private Network

To connect to some department and central resources from off-campus, you may be required to use a VPN.

Connecting to the university network from home increases the risk of data exposure or password compromise because you have to use networks that are not controlled by the University. To minimize these risks, you should use the campus Virtual Private Network (VPN) when working with sensitive University data. This will ensure that everything you do is encrypted as it goes over the network. VPN protects your data from electronic eavesdropping.

Secure your home wireless network

Home wireless networks are easy to set up and extremely convenient to use. However, an insecure wireless environment poses several risks that need to be addressed:

  • Anyone near your home can use your Internet connection.
  • Anyone near your home may be able to access your computer.
  • Anything sent over the wireless connection could be stolen.

Check with your Internet provider on how to secure your wireless network.

For self-installed wireless equipment, the manuals that came with your wireless router should provide detailed information on how to secure your home wireless network.

Keep your computer secure

A very common problem with home computers is having out-of-date operating systems and browsers, as well as not having activated current firewall and antivirus software. If you're working on university business on a computer at home, whether yours or a University own computer, you must take measures to secure your computer and mobile devices.

Keep a Clean Machine. 

  • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
  • Protect all devices that connect to the Internet: Along with computers, smartphones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
  • Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them.