PSU has partnered with Sophos Phish Threat to help educate users on the dangers of phishing and social engineering.
Phishing is one of the main tools attackers use to obtain unauthorized access into organizations. These attacks are carried out through email, text messages, social media, messaging apps, and phone calls.
You all do a great job of detecting phishing messages! So, what is self-phishing and why would we do it?
Self-phishing is the practice of sending fake phishing emails in order to test your security awareness and to help you better identify and avoid real phishing scams. By self-phishing we can identify areas where we can improve our training and support.
We understand that self-phishing can feel like a nuisance or inconvenience, but it is a necessary step in protecting PSU from cyber threats. Self-phishing exercises are also audit and cyber insurance requirements. We have to demonstrate that we have effective security measures in place to protect our systems, data, and employees from cyber threats, which include phishing scams. Phishing is one of the top attack vectors for malware.
You will treat these emails just like any other phishing email. You can send it to abuse@pittstate.edu or mark it as Junk. If you happen to fall for the phishing email, you will get a simple message letting you know it was phishing and the things to look for in the future.
Don't get Hooked!
How to Spot a Phishing email:
Who is the message From? Who is the Reply-To?
- In Outlook if you hover over the From or Reply-To name or any clickable links, it will display the actual email address or web address.
- It is easy to fake a From email address. Don't be fooled even if the From is @pittstate.edu
- Does the web address start with: www.pittstate.edu or go.pittstate.edu - if not, be suspicious. Remember to hover your mouse over the link to see where the link will actually take you.
There is a sense of urgency.
- If you don't take action right now your account will be closed.
The email asks for personal information.
- Your email user name and password is personal information!
- Your credit card number or bank account information is personal information.
The email has bad grammar, odd formatting, or misspelled words.
- If it looks odd, be suspicious
The email is not signed by an actual person or there is no phone number to call for questions.
- The closing is from a generic "System Administrator", "Information Technology Services", or "IT Help Desk" instead of an actual person.
What if the email is from UPS, FedEx, airline, or cell phone company?
- There are lots of emails that "appear" to be from legitimate companies. If you aren't expecting a package, purchased a plane ticket, etc... then be suspicious of these emails.
- A safe practice is to go directly to the company's website and use that contact information. Not the information provided in the email.
- Never click the links in an email and provide personal information. Legitimate companies will not send an email asking for this information.
The email contains an attachment.
- Never open an attachment, unless you are expecting an attachment, even if it is from someone you know.
- Attachments are a common source of viruses and malware.
NOTE: With a spear phishing attack (very targeted attack), you may even see words like "ITS", "Outlook", "Pittsburg State University". The inclusion of these words does not make the email any more legitimate. This just means the attackers have done their research.
Legitimate emails from PSU will NEVER, ever, ask for your password.
"Passwords are like keys to your personal home online."
Here are some tips to keep your password protected:
DO NOT share your password with others
- That includes the help desk, co-workers, managers, friends and family.
- Passwords used on official PSU accounts should never be used for a personal account.
DO NOT make your password anything that can be easily found out about you
- It shouldn't be your pets name, the name of anyone in your family, the kind of car you drive.
- A strong password should be at least 8 characters long with a mixture of upper and lower case letters, special characters and numbers.
- Passwords should not be words found in the dictionary.
DO NOT use the same password for all your online accounts
- If one account gets compromised, then all your other accounts are at risk.
DO NOT write your password down
- Jot down a clue or a hint that will jog your memory. If you have to write it down, keep it stored in a safe, secure place away from your computer.
DO NOT check the "remember my password box"
- Many programs have no built-in security measures to protect this information. Some programs actually store the password in plain text in a file on the computer.
DO NOT keep the same password for months and months
- Change your password at least every 6 months.
- Changing your password often not only minimizes the chance that someone could guess or crack your password, it also shortens the length of time that person would have control of your system.
ITS will NEVER ask you for your password in an email - NEVER!
Here is a link to our current password policy.
https://www.pittstate.edu/it/information-technology-services/it-policies.html
Why do I need to change my password twice a year?
- Changing passwords periodically limits the amount of time that an attacker can access an account if he/she has guessed a password.
- Changing passwords periodically makes guessing a password harder.
- The university has adopted a password policy to protect our clients and to comply with the Kansas Information Technology Executive Council (ITEC) policy and guidelines
How do I change my password?
Password Recovery Options:
Password recovery options allow you to self-serve changing your password if you forget your password
What happens when I change my password off campus?
- BEST PRACTICE: Change your password on campus using your work computer so you are on the PSU domain (network).
- If you change your password using your work computer while off campus, your computer login will not get synced to the new password. Once you connect your computer to the PSU domain (network) your computer password will sync and you can use your new password.
- If you change your password from any other computer while off campus, your passwords will sync and you will be able to use your new password immediately.
What if I forget my password?
Don't Get Scammed!
Phishing attacks can often take advantage of current events and certain times of the year
- Natural disasters (hurricanes, tornadoes, tsunamis)
- Epidemic and health scares (Covid, H1N1)
- Major political elections
- Holidays
How to avoid being a victim
- Be suspicious of unsolicited phone calls, personal visits, email messages, text messages asking for donations or personal information
- Never give your credit card or other personal information to someone or an organization you don't know
- If you want to make a donation be sure to research the organization to make sure they are legitimate
- Beware of sound alike names
- Fake charities will try and mimic the legitimate organization
Facebook, Twitter, YouTube, Instagram, SnapChat, TikTok - Social Networking has become an integral part of our lives. They are a great way to stay connected, but you should be wary about how much personal information you share.
Here are some tips for protecting your social networking life:
Continually monitor your privacy and security settings
- These settings change periodically. Stay current with the apps you are using.
Once posted, always posted
- What you post online, stays online. Posts, pics, and tweets never truly go away so be cautious and considerate when posting about yourself or others.
Keep personal information personal
- The more information you post about yourself the easier it is for hackers or someone else to steal your identity, access your data or commit other crimes like theft or stalking.
Know and manage your friends
- Periodically clean up your friends list and use tools to manage the information you share with different groups of people.
Be honest if you're uncomfortable
- If a friend posts something that makes you uncomfortable or you think it is inappropriate, let them know.
Know what action to take
- If someone is harassing or threatening you, remove them from your friends list, block them, or report them to the appropriate authorities.
For additional information: www.staysafeonline.org
Keep a Clean Machine
How do I prevent getting malware on my computer?
- Keep your anti-virus software, operating system, and web browser up-to-date.
- Turn on automatic updates if available. Software updates help protect your computer against the latest threats and vulnerabilities.
- USB drives (flash drive, thumb drive) and other external devices can be infected. Use your security software to scan them.
- Install or enable a firewall. Firewalls may be able to prevent some types of infections by blocking malicious traffic to your computer.
- Don't follow links in emails making claims to good to be true. The same goes for pop-up windows. To safely close the pop-up window click the 'X' on the title bar, not the button in the window.
- Adjust your browser preferences to limit pop-up windows and cookies.
- Be very cautious when opening email attachments even if they are from someone you know and trust. If it looks suspicious, contact the sender before opening it to make sure they sent it and it is legitimate
Payment Card Industry-Data Security Standards (PCI-DSS)
Set of requirements designed by the credit card companies (Visa, MasterCard, American Express, Discover and JCB), to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Why is being PCI-DSS compliant important?
Failure to comply could result in substantial fines and PSU could lose the ability to take credit cards.
Before you go
Review the US State Department website for travel warnings and tips about your location. Travel advisories are not only issued for high risk areas but for COVID restrictions. This website is a great resource for international travel tips, guidelines and general information.
- Travel light. Take with you only what you need. If you can manage your trip without a laptop, tablet, and/or smartphone, leave them at home.
- Avoid bringing devices that contain private data.
- Evaluate the data you have stored on your hard drive and remove any sensitive/confidential data.
- It is recommended that you take a clean laptop with only the data you need for your trip.
- Clear your browser history and cache, including saved usernames and passwords.
- Delete any saved or favorite sites that could expose any personal information.
- Encrypt your hard drive, USB flash drives, external hard drives and any other external storage (if allowed at your destination). These devices should remain with you at all times and should be transported in carry-on luggage.
- Ensure smartphones and tablets are encrypted (if allowed at your destination) and protected by a PIN, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps, and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager so that it can be wiped remotely if lost or stolen.
- Change your passwords and PINs. Change your unified PSU password, and any passwords for Internet services you will access while traveling, such as Gmail or Facebook. This includes PIN’s on tablets and smartphones.
- Update your software, especially your anti-virus, operating system, and browser. Updates often correct security vulnerabilities. Therefore, it's important to alwayskeep your software up-to-date, especially before traveling. If updates are necessary while abroad, download the updates directly from the software vendor’s website.
- Setup VPN on your laptop. Before you leave the country, install and test your VPN connection. Always connect to VPN before accessing university resources. When you connect your devices to Wi-Fi abroad, using VPN ensures that your data is securely sent over the Internet. This is important, as most public Wi-Fi networks cannot offer this protection.
- Backup your computer. Talk to your tech about backing up the data on your device.
- Determine if you need adapters or converters for your devices. Make sure you have the proper plug adapter. Modern laptops have "switching" power supplies that can use both standard AC and DC current in most countries, but wall outlets outside the United States are often a different style and may require you to use an adapter.
- Leave a copy of your passport, itinerary, and important phone numbers with family, friends, or coworkers so they can quickly and easily access the information and get it to you in the event your passport or other valuables are stolen.
Visit the GUSVerify website for information regarding using Duo while traveling.
While you are there
- Always connect to VPN before accessing university resources.
- Avoid using public workstations. The security of public workstations or even a friend’s computer, especially in high risk countries, cannot be trusted. When you use a public workstation, anything that you enter into the system - IDs, passwords, data - may be captured and used, so limit your activity to the devices that you bring. And never enter information such as bank account numbers, or credit cards numbers.
- Be aware of your surroundings when logging in or inputting data into your devices. There have been many cases where an ID, password or a piece of confidential information had been compromised simply by watching the person input the information. Be discrete when entering your ID and passwords. “Shoulder surfing” and cameras pointed toward keyboards are common ways that credentials are compromised.
- Be cautious clicking on pop-ups. This is especially true while using untrusted hotel Internet connections. Some pop-ups are actually scams designed to trick people into installing malicious software.
- Beware of software updates. Entities in foreign country have been know to push fake updates when a user connects to a local network so they can install malware and spyware.
- Do not use USB-based public battery charging stations. “Juice jacking” attacks can install malware on your mobile device and/or copy data from your device. Only use chargers you brought from home and know to be good.
- Reset your Password if you think your account has been compromised. You can reset your passwords yourself on the GUS Portal: https://psuapps.pittstate.edu/UI/AccountManagement/ChangePassword/PasswordWizard?page=1 if you need assistance contact the Gorilla Geeks: 620-235-4600 or geeks@pittstate.edu.
- Contact local authorities if your device is stolen. Also contact the IT Security Officer if your device is lost or stolen: ITSecurity@pittstate.edu.
When you return
- Reset your any passwords you used while traveling. When you return to the U.S., you should reset your passwords. If passwords were compromised while you were abroad, changing them upon your return will render the stolen ones useless.
- Have your tech scan for viruses and malware.
Recommendations
- Use a third party/commercial VPN
- FortiNet should only be used in case of an emergency
- Take an approved computer
- DO NOT take your PSU computer
- Use a local user account to login to the computer
Before You Leave
- Change your PSU password before you leave for China
- Let Amanda Williams know when your return flight is. Your PSU password will be reset when you leave China
When you get Back
- Change the PIN and/or password on any account you used while over there
- ITS will reset your PSU password when you leave China
- Change your password once you get to a secure computer
- The computers should not be used or turned on once you leave China
- Return the computer to the Geeks
Review the International Travel Guidelines.