We have a brand new updated website! Click here to check it out!

FHSU students urged to be wary when it comes to cyber security

Posted on

By CRISTINA JANNEY
Hays Post 

“Trust no one. Trust no network.”

Jessica States, information security officer for Fort Hays State University, gives a lecture on cyber security on Wednesday at FHSU.

Jessica States, information security officer for Fort Hays State University, was trying to emphasize the prevalence of scams and phishing on the Internet.

She addressed a few of the issues students and faculty face during a Wednesday online security lecture sponsored by the American Democracy Project.

States focused on three main areas, including job scams, extortion and credential theft plus left her audience with a few general tips and resources for cyber security.

Job scams

FHSU students are consistently being targeted by job scams. The example States shares Wednesday resulted in a FHSU student losing about $2,000.

The student received a letter offering a job for which he would be paid in advance. The letter came from an .edu address from a person claiming to be a college professor. The student received and deposited several checks in his bank account. In the meantime, the scammer requested the student purchase gift cards and send him the redemption codes, so he could send a gift to his nephew.

By the time the bank a couple of weeks later had alerted the student the checks were fraudulent, the money on the gift cards had been spent.

States said students and other consumers fall prey to job scams because they don’t understand how the banking system works.

“So true or false? When you deposit a check or money order into your account, does your bank make sure it’s good before they put the money in your account?” States asked. “Most people think this is true. They think your bank verifies a check is good before they let you spend the money. This is false.”

States said  people assume because the check shows up as a memo line on their account, the bank has verified the authenticity of the check. This can take up to a couple of weeks, especially if your bank is trying to clear a check from an international bank.

Red flags in this email included a wage that seemed to be too good to be true — $450 per week for three hours of work.

“If it seems too good to be true, it probably is,” States said. “This is where, especially our younger students get caught. They think it is coming to my Fort Hays email address. It sounds really good. It talks about Fort Hays. It must be legitimate. If they would just take a second, pause and think about it, it is really too good to be true.”

No employers should ever ask you to buy gift cards or wire them money. Paying in advance is also suspicious.

Email addresses should not be trusted. Email accounts can be hacked or spoofed.

Check out the alleged employer, States said. You should be able to track down the person through LinkedIn and contact them through other means than the email address you have been given.

The scammer also attempted to get the student to use an alternate email address rather than the more secure university account, which circumvents the university’s firewalls

Extortion

On Monday, a university staff member received an extortion email. The email threatened to release an email containing embarrassing information about the staff member to all of their email contacts unless a $977 ransom was paid in bitcoin.

The subject was the person’s username and an old password, which made it appear more authentic.

There have been tons of data breaches in recent years, including Yahoo, eBay and Sony PlayStation, so it is very possible you have a current or old password out there on the dark web, States said.

“Scammers are going to use any personal information they have about you to make the scam seem more realistic,” States said.

States said she doubted the scammer had any compromising information on the person in question. Scammers prey on fear and a victim’s guilty conscience.

Fort Hays has never paid an extortion ransom, but States said she did not know about individuals.

If you are hit with an extortion attempt, don’t panic and don’t reply to the email. If you reply to the email, the scammer knows they have a legitimate email address.

If you are still using the password the scammer has noted in the email, change it immediately on all accounts it is being used on.

Mark the email as spam and delete it.

“It is basically free for them to send millions of emails,” States said. “The one statistic that I was looking at earlier, there are 100 million phishing emails that go out everyday. … Even if 99 percent of them are blocked, that would still be a million that would get through. That is a lot. Even if one person falls for it, they have just made $977 in bitcoin for very little work.”

A fake tech support scam that was circulating last year made the scammers an estimated $24 million in two months, States said.

Credential theft

On Monday, States said someone at the university reported being the subject of an attempted credential theft scam.

The attacker spoofed the From line to indicate it was coming from the user’s own email. The scammer was trying to get the recipient to enter his or her account username and password.

If you would have hovered over the link with your cursor, you would have seen it took you to an odd off-campus address, States said.

The email had some grammar mistakes, which should be a clue that it was a fake.

“The thing you have to remember, for people who especially English is not their first language, grammar mistakes are not a big indication of phishing,” States said. “While I do put some emphasis on that, it is not always the greatest tool to figure out it is phishing. Plus I have seen some official emails that came out that had some pretty glaring mistakes.”

Phishing messages can also come via text.

Scam signs

• Who is it from?

• Look at the Reply To. Is that different than the alleged sender? The scammer may have stolen an email address and is now trying to redirect you.

• Sense of urgency. Scammer may try to get you to act right away without being able to confirm information or think things through.

• Generic greetings

• Scammer is requesting a credit card number

• Hover over links, so you know where it is taking you.

• Be wary of attachments

• Is the sender who they say they are? If an email that is supposedly coming from a friend does not sound like that person, independently confirm the information in the email before taking action. Your friend may have been hacked.

Don’t

• Wire money to someone you don’t know

• Buy and provide people with codes for gift cards

• Trust Caller ID

• Trust email addresses. They can be faked.

Do

• Resist the urge to act immediately

• Check the story out

• Look at a URL before you click on it.

• Let unknown numbers go to voicemail

• Use strong, unique passwords

• Report phishing or scams to FHSU Tech Support, the police, and/or Google

• Enroll in two-factor authentication. This pairs something you know with something you have, such as a password with a cell phone or a hardware token that can receive a security code. FHSU faculty and staff are moving to this security process this week. It will be optional for FHSU students as of this summer.

Helpful links

Check to see if you have an account that has been comprised in a data breach, haveibeenpwned.com

Sign up for two-factor authentication, twofactorauth.org/

Phishing quiz, phishingquiz.withgoogle.com/

Cyber security tips, www.stopthinkconnect.org

 

Copyright Eagle Radio | FCC Public Files | EEO Public File