I found a great site that lists whether or not companies offer two-factor authentication (2FA): https://twofactorauth.org/
The list includes internet, phone, financial, health, government providers and much more. It also list what 2FA options each provider offers (SMS, software token, or hardware token) .
Data Privacy Day (Jan 28) is almost upon us. Here are a couple ideas about how to celebrate by being more secure on the internet.
Take a moment to back up your important files! Whether you use a local USB drive or cloud storage is up to you, but be sure to use encryption for all confidential data.
Set up two-factor authentication (2FA) on your personal accounts. 2FA is a way of protecting your accounts beyond just a password. It typically involves using SMS text or a mobile app to sign in. Apple, Google, and Amazon all offer 2FA. Your employee data is already protected by 2FA in Workday.
Update your online account passwords. The most important thing to do is to always use unique passwords. Re-using passwords across systems puts you at higher risk for account compromise.
Secure your mobile phone and home computers by keeping up to date with operating system and application updates. Never download apps from sources other than the official Apple App Store or Google Play. Set a strong passcode on all mobile devices.
Be skeptical about any emails you receive about accounts or taxes. There is a heightened risk of tax scams this time of year. Your biggest clue that an email is a scam is if it is unsolicited and unexpected, especially if it contains a link or attachment.
Be careful when using public WiFi networks, which may be unsecured or compromised.
Check your credit reports for free through the Annual Credit Report website.
Check the FTC website regularly for scam alerts, including telephone scams.
Visit Stay Safe Online for tips on protecting your data online.
If you have been a victim of identity theft, learn more about recovery on the Federal Trade Commission’s IdentifyTheft.gov website.
UW Professional and Organizational Development is sponsoring an ongoing course by Washington State Employees Credit Union on scams and identity theft.
Upcoming dates are Sept 12 and Oct 5.
Sent via email on 7/2/17.
- Workday- You can tell that these are legitimate because the links in the body of the email are for domain myworkday.com/uw/. Also, when the UW login screen pops up, the address is idp.u.washington.edu. Note that there are known scams related to Workday, so make sure to hover your mouse over the links in any Workday emails you receive to make sure they go to our Workday site and not a fake site.
- UW Athletics- You can tell that these are legitimate because the links in the body of the email are for domain uwathletics.fan-one.com. Per the UW Athletics dept, they have a new ticketing system and are sending out new system activation instructions to everyone who has used their system in the past.
Fake Fake Fake:
- American Airlines order confirmation email saying that your credit card was charged. The intention is to alarm you and fool you into providing your credit card info on the malicious website. Similar scams involve Apple and Amazon order confirmations. If you receive an order confirmation email and don’t know if it’s legit or fake, I recommend that you log onto the vendor website via bookmark or Google search rather than clicking on the link contained in the email.
- The usual phishing emails targeting UW accts. The latest one is called Unusual Login Attempt and has a link to the malicious website http://universityofwashiington.weebly.com/. Note that the domain of this link is not a UW domain (it’s weebly.com), therefore it is malicious.
From our friends at Sophos, a great whitepaper on ransomware- what it is, how it works, and why it’s such a big security problem.
Just for fun, I wanted to share a TED talk by a British comedian who takes revenge on a spammer.
Don’t try this at home!
Tips for recipients:
*The key thing to watch out for is unsolicited email. Unsolicited means that you were not expecting it.
*It doesn’t matter if you recognize the sender or not- sender name and address are easily faked.
*If an unsolicited email contains a link or attachment, do not click link or open attachment unless you can verify that the sender sent you this exact email. It doesn’t matter that they have sent you emails in the past.
*Checking on unsolicited emails does take extra time. But it might save you from getting phished or having your computer infected with malware, both of which are time-consuming problems to fix.
Tips for senders:
*To the extent possible, don’t send emails with links or attachments. Instead reference where the link or document is on a shared resource. Example: “To log onto the UW Employee Self Service webpage, please use the link on the Clinical Lab Links webpage under the UW Resources header.”
*Never send unsolicited emails with links or attachments. Always let your recipient know ahead of time if you will be sending a link or attachment.
*Never send links to secure systems that require login. This trains recipients to click links in email and log in when prompted, which is a key component of phishing campaigns.
Let’s do everything we can to keep ourselves and our co-workers safe!
Fake– These are scams so do NOT click links and do NOT enter info into websites.
- Google Docs invite- This one looks very real because links actually go to Google. In this case, Google accounts were hacked and were hosting a phishing scam targeting Google accounts. Google has since shut this down.
- Xerox multifunction doc- This one includes “conf” or “order” in the title followed by a number. It is personalized with your name. It instructs you to open an attachment which was sent from a Xerox machine. The link looks like an attachment name, but actually goes to a malicious website.
- “You have a message from President Ana M”- Curious what the UW prez would like to tell you? Don’t be, because this one’s fake. It’s a scam to steal UW NetID credentials.
- “Update”- This one appears to be from a UW email address (faked). It targets your UW NetID acct, threatens to suspend your email if you don’t respond within 24 hrs, and contains a link to a malicious website.
- “NetID Update”- This one also appears to be from a UW address. It also targets UW NetID and threatens to terminate your acct if you do not respond. It has a link which appears to be to a UW website, but is actually a malicious website.
- “Employee Self Service” – This one is a real mishmash. It features obviously fake email addresses, references to Microsoft Outlook, a link to a malicious website, and oddly, a National Health Laboratory Service disclaimer.
- “Re-validate mailbox”- This is another generic sort of phishing email targeting Microsoft Outlook users. It asks you to verify acct in order to increase storage capacity.
- “Scanned_Invoice873.pdf -Dropbox”- This one invites you to go to a malicious website (supposedly Dropbox) and retrieve a mysterious PDF invoice.
Real– I have confirmed that the following are legit emails. You may safely click links in the email and enter your personal information on the websites.
- UW Transportation office reminder to renew UPASS and other commute products.
- UW Transportation office request to update vehicle registration.
- UW Office of Regional and Community Relations employee housing survey- links to Survey Monkey.
Can’t get enough of phishing examples? No problem!
The UW CISO (Office of the Chief Information Security Officer) has some great examples on their webpage.
They also have a great explanation of phishing vs. regular old spam emails.