I found a great site that lists whether or not companies offer two-factor authentication (2FA): https://twofactorauth.org/
The list includes internet, phone, financial, health, government providers and much more. It also list what 2FA options each provider offers (SMS, software token, or hardware token) .
Data Privacy Day (Jan 28) is almost upon us. Here are a couple ideas about how to celebrate by being more secure on the internet.
Take a moment to back up your important files! Whether you use a local USB drive or cloud storage is up to you, but be sure to use encryption for all confidential data.
Set up two-factor authentication (2FA) on your personal accounts. 2FA is a way of protecting your accounts beyond just a password. It typically involves using SMS text or a mobile app to sign in. Apple, Google, and Amazon all offer 2FA. Your employee data is already protected by 2FA in Workday.
Update your online account passwords. The most important thing to do is to always use unique passwords. Re-using passwords across systems puts you at higher risk for account compromise.
Secure your mobile phone and home computers by keeping up to date with operating system and application updates. Never download apps from sources other than the official Apple App Store or Google Play. Set a strong passcode on all mobile devices.
Be skeptical about any emails you receive about accounts or taxes. There is a heightened risk of tax scams this time of year. Your biggest clue that an email is a scam is if it is unsolicited and unexpected, especially if it contains a link or attachment.
Be careful when using public WiFi networks, which may be unsecured or compromised.
Check your credit reports for free through the Annual Credit Report website.
Check the FTC website regularly for scam alerts, including telephone scams.
Visit Stay Safe Online for tips on protecting your data online.
If you have been a victim of identity theft, learn more about recovery on the Federal Trade Commission’s IdentifyTheft.gov website.
UW Professional and Organizational Development is sponsoring an ongoing course by Washington State Employees Credit Union on scams and identity theft.
Upcoming dates are Sept 12 and Oct 5.
From our friends at Sophos, a great whitepaper on ransomware- what it is, how it works, and why it’s such a big security problem.
Just for fun, I wanted to share a TED talk by a British comedian who takes revenge on a spammer.
Don’t try this at home!
Yet another phishing email. This one gets credit for having an interesting sounding web address in any case- techembryo.com. You can see the web address by hovering your mouse (don’t click) over the link below that says View Details.
This one has a plausible sounding sender address, but we can’t rely on sender address for proof of legitimacy because sender address can be easily “spoofed.” The only way to tell if an email is legit is to hover over the link and see where it really goes.
Subject: IT HelpDesk
Date: Thu, 4 Aug 2016 09:25:17 -0500
From: University of Washington <email@example.com>
You have one new message from Mercer IT HelpDesk regarding your mail account.
University of Washington
Another phishing email targeting UW email acct.
It initially appears to contain a link called “Click on show images to read secured message” (see image 1 below). In some email applications, clicking the link will take you directly to a malicious website. In other applications, it will turn into an image (see image 2 below), which is itself a link. If you then click anywhere on the image, it will go to a malicious website.
Another thing that is notable about this email is that the link includes washington.edu and uw.edu. However, it does not go to a washington.edu or uw.edu website.
Let’s break this web address down into its components: domain, directory, and webpage.
Of the 3 components, the one you need to check is the domain. In this example, we can see it is NOT a washington.edu or uw.edu domain and is therefore not a legitimate UW website.
The directory and webpage components do contain washington.edu and uw.edu, but this does not matter. These components can be named anything.
Another pair of phishing emails targeted at UW email:
From: Linscott, Brian
Sent: Wednesday, June 8, 2016 8:21 AM
Subject: Helpdesk Update
Your e-mail account was LOGIN today by Unknown IP address Unknown IP 232.22.88 233,click on the Administrator link below to validate your e-mail account or your account will be temporary block for sending more messages.
Click Link To Validate Your Account
Subject: Problem with your email account
Date: June 6, 2016 12:25:53 PM PDT
Member Services identified a problem with your email account. To correct this issue, please click here to resolve.
© 2016 University of Washington | Seattle, WA
I will be posting malicious email alerts here as well as answering security questions and providing tips on how to stay safe on the internet.