CONTACT US AT:
Information Security Office
Clear Lake Center
Suite 1.158
Webster, TX 77598-1230

Phone: 409.772.3838
Email: iso@utmb.edu

 


The Information Security Corner With Bob Shaffer

I’m not trying to be a Grinch, but not everyone’s singing “It’s the most wonderful time of the year.” According to CNN, someone in the U.S. is a victim of identity theft every two seconds. Identity theft can happen when your personally identifiable information (e.g., name, SSN, credit card number, etc.) is exposed and accessed by unauthorized individuals whose intent is to use it for financial gain or other types of illegal activities.

Let’s face it, identity theft is not going away anytime soon. It was ushered in with the boom of the online age and will be here for the foreseeable future. While it’s impossible for us to completely prevent identity theft from happening, we can take some simple steps that will significantly reduce our chances of becoming a victim.

Beware of Phishing

This is one of our biggest headaches at UTMB. A phishing attempt is someone masquerading as someone they’re not, in order to get information or to encourage a user to do something that they normally wouldn’t.

Email phishing - No reputable organization will ever ask you for personal information over email. If they do, refuse to give it to them. Emails with links that are asking you to “Click Here” to update personal information must be scrutinized. Is that link really taking you the place that it says, or has it been forged and is taking you to a place to steal your password? It doesn’t take much to validate the authenticity of an email. Know the red flags. One red flag is not necessarily an indicator of a phishing attempt. However, it’s you that’s making the judgment call. If it looks suspicious, get a second opinion, or sent it to cirt@utmb.edu; we’ll validate it for you.

Red Flags

Let’s say it’s a well-crafted phishing email and you clicked on the link; it’s not the end of the world. It’s going to take you to a webpage that will ask you for information. Again, think about the red flags.

  • Is the site branded to the organization it’s associated with? If it’s supposed to be a UTMB page, then there should be a UTMB logo on it.

  • Look at the address bar; does it make sense, are you at the correct site?

  • Is it asking for information other than your username and password? If the site is prompting you to enter credit card, bank account or social security numbers, it’s an outright scam; exit the page immediately.

  • Last, but definitely not least, if you enter your username and password and it doesn’t take you anywhere, or it takes you to a place you weren’t expecting, your account information was probably just stolen. Change your password immediately.

Phishing phone calls - We’ve had several reports of folks receiving phone calls from “technicians” claiming to be with Microsoft. The call usually starts off by informing you that your PC has been identified as being infected with a virus or something to that effect. The goal is to take control of your computer and install malicious software that could capture sensitive data, such as online banking information, usernames and passwords. To make matters worse, they’ll try and charge you for the software installation. If you receive one of these calls, simply say “no thanks” and hang-up.

Computer hijacking and ransomware

We’ve had several people fall victim to this scam. This is a process of locking you out of your computer, with demands to pay $300 using Bitcoin or a prepaid cash voucher for an unlock code.

Ransomware

Some of these are recoverable by simply using a virus scanner. Others, such as Crytolocker actually encrypt the contents of your hard-drive and are very difficult to recover from. The majority of PCs infected with Crytolocker are reformatted, meaning that all your stored files are deleted and lost forever.

How do you defend against these types of threats?

Always run an up-to-date antivirus (http://windows.microsoft.com/en-us/windows/security-essentials-download) on your computer and be very careful when opening email attachments. The Cryptolocker virus is initiated by opening an attachment with a “zip” extension.

Not to pick on FedEx, UPS or the U.S. postal Service, but most Cryptolocker incidents are from emails that appear to come from one of these organizations. Typically the subject line is “You’ve Missed a Delivery” or “Your Package is Available for Pickup.” Unless you are expecting a package, be very leery of these types of emails.

Online Shopping

Bloomberg reports that 44 percent of all holiday shopping will be done online this year. To me this makes sense; I personally find online shopping to be less stressful and sometimes cheaper than the brick and mortar stores. While there are benefits, the risk of falling victim to fraud and ID theft are greater than shopping at a traditional store. Following these simple tips will minimize your chances of becoming a statistic:

  1. Shop at well-known, established websites. Some attackers try to trick you by creating malicious websites that appear legitimate.

  2. Don’t trust links in email. Type the website address into the Web browser yourself. This will prevent you from being redirected to a fraudulent site.

  3. Make sure the site is secure. Before you enter any personal or financial information to make an online purchase, look for signs that the site is secure. This includes a closed padlock on your Web browser’s address bar or a URL address that begins with “https.” This will prevent your credit card information from being stolen during transmission.

    https

  4. Use a safe payment card. Credit cards are generally the safest option because they allow buyers to seek a credit from the issuer if the product isn’t delivered or isn’t what was ordered. Debit cards don’t always allow for these provisions.

  5. Keep the storage of personal information to a minimum on shopping sites. You don’t have to store credit card information on most sites. You can enter it each time a purchase is made. This will prevent your information from being compromised if the site is ever hacked.

  6. Use a unique password for each computer account you have. Your Amazon username and password should not be the same as your UTMB username and password. Passwords should be constructed so they’re not easily guessable. They should be at least 6-8 digits, have uppercase and lowercase characters, numbers and special characters. For example, choose a word with at least eight characters, say “Washington.” Change out some of the letters with similar numbers and special characters and you have W@$hingt0n -- a strong password that is easy to remember.

I’m not going to guarantee that if you know the red flags and you follow these tips, you won’t fall victim to identity theft or some other type of an account compromise. However, I will guarantee that if you do, your chances of becoming a statistic will be greatly reduced.

Happy holidays, and be careful out there.

Remember Sec-U-R-IT-y

Thank You,

Robert V. Shaffer Jr.
Director of Information Security

Search the National Vulnerability Database
Enter Vendor. Software or Keyword