Information Security Office Cyber Savvy

Phishing Scams and Multi-Factor Authentication (MFA)

What are phishing scams?

A phishing scam is an attempt to steal your account credentials (your username and password) or other important personal information. These generally come in the form of an email impersonating a legitimate source, like a university official, bank, potential employer, etc. They will usually either include a link to a spoofed website or request a reply to a third-party email address and attempt to trick the recipient into providing personal information like account passwords, multifactor codes, credit card info, etc.

These scams usually try to panic the recipient using urgency and fear, so they do not think to verify the legitimacy of the email before responding. They will often claim the recipient will lose access to their account if they do not immediately verify their credentials. No legitimate institution makes this kind of request.

Unfortunately, these scams are very common. All an attacker needs to target you is your email address, and it’s easy enough for them to send a somewhat convincing message. Learning common red flags and always treating unexpected emails with caution are key to protecting yourself and your information.

How to identify a phishing scam:

  • Urgent requests: Scams often try to panic the recipient into responding quickly, before they notice red flags.
  • Bad spelling or grammar: Scam emails frequently have poor spelling, grammar, or formatting.
  • Unexpected or mismatched email address: Make sure the domain (the part after the @) makes sense for the sender – for UVM, it should always be @uvm.edu. Also, make sure when you hit reply, the email address doesn’t change – if it does, the email was likely sent from a spoofed address.
  • Generic signature: University messages are generally signed by a university official or department and provide contact information for questions or concerns. Scams will often have something vague like “IT Department” (not a real department name at UVM).
  • Unexpected requests for personal information: Be extremely wary of following links or answering questions when you did not initiate the communication.
  • Strange links: Scams will often include links to sites impersonating a legitimate site. They may do this by making a similarly named site or disguising it with a hyperlink. You can always hover your cursor over a link to see where it’s actually sending you. If you are not sure a link is legitimate, you can generally go directly to the organization’s website instead or contact them via phone to verify.
  • “Too good to be true” offers: Many scams are centered around offering something the recipient would be excited to receive – such as free electronics, a high-paying job, debt relief, etc. If it’s unprompted and sounds too good to be true, it’s probably a scam.

What are MFA fatigue attacks?

In addition to traditional phishing scams, attackers are increasingly using MFA fatigue attacks to gain unauthorized access to accounts. These attacks exploit the multifactor authentication (MFA) process by bombarding users with repeated authentication requests, often through push notifications or emails, until the user inadvertently approves the access request out of frustration or confusion. As a refresher, UVM’s MFA uses DUO and allows users to approve a login session through the DUO app or via text messages.

How MFA fatigue works:

  1. Phishing for Credentials: Attackers may first steal your username and password via phishing or other means.
  2. Triggering MFA Requests: Using your stolen credentials, they repeatedly attempt to log in, sending you a flood of MFA prompts to your device.
  3. Exploiting Fatigue: If you approve the request, even accidentally, the attacker gains access to your account.

How to recognize and avoid MFA fatigue attacks:

  • Unexpected Prompts: Be wary if you receive repeated MFA requests without trying to log in yourself.
  • Verify the Source: If you receive an MFA request, confirm it’s legitimate by checking if you initiated the login attempt.
  • Do Not Approve Unverified Requests: Never approve a login request unless you’re certain it’s your own.
  • Contact IT: If you suspect an MFA fatigue attack, notify the IT department immediately. 

How to handle phishing scams or MFA fatigue attacks:

If you suspect an email you’ve received in your UVM account is a phishing scam or if you experience an MFA fatigue attack, take the following steps:

  1. Report the Incident:
    • Forward suspicious emails to abuse@uvm.edu.
    • Report repeated MFA prompts or other unusual activity to the UVM Tech Team at (802)656-2604 or helpline@uvm.edu.
  2. Protect Your Account:
    • If you clicked on a phishing link or approved an unauthorized MFA request, change your password immediately through the organization’s official website. For UVM, visit: account.uvm.edu.
  3. Delete the Message: After reporting the email or attack, delete it from your inbox to avoid accidental engagement later.

Learning to identify and respond to these tactics is key to keeping your accounts secure. If you have any questions about the legitimacy of a request or need further assistance, don’t hesitate to contact the UVM Tech Team. Together, we can protect our community from cyber threats.

Tips for Safe Online Shopping

Body

Safe Online Shopping: A UVM Guide for the Holiday Season

As the holiday season approaches, many of us at the University of Vermont will turn to online shopping for its convenience and variety. While e-commerce brings ease to our holiday preparations, it also poses unique cybersecurity risks. This guide is here to help you, whether you're a tech-savvy student, staff, or faculty member, navigate online shopping safely.

Understanding the Risks: Online shopping can expose you to risks such as fraudulent websites, identity theft, and phishing scams. Cybercriminals often create convincing fake websites or send scam emails offering incredible deals to trick you into disclosing personal and financial information.

Verify Website Uses Encryption: Always check the URL of the website. Look for 'https://' at the beginning of the web address and a padlock icon, indicating a secure connection.

Use Familiar Websites: Start at a trusted site rather than shopping with a search engine. Search results can lead you astray, especially if you drift past the first few pages.

Beware of Too-Good-To-Be-True Deals: If an offer looks too good to be true, it probably is. Be skeptical of extremely low prices and "limited-time" offers.

Use Secure Payment Methods: Pay using secure payment methods like credit cards or well-known payment services. Avoid direct money transfers or wiring money.

Keep Your Devices Updated: Ensure your computer, smartphone, or tablet has the latest security updates and antivirus software.

Avoid Public Wi-Fi for Transactions: Public Wi-Fi networks are not secure for financial transactions. Wait until you can use a secure, private connection before purchasing.

Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized charges. Follow up with your financial institution if you believe the charges or statements are inaccurate.

Strong Passwords and MFA: Use strong, unique passwords for your accounts and enable multi-factor authentication (MFA) where available.

Educate Yourself About Phishing Scams: Be aware of phishing tactics. No reputable company will ask for sensitive information via email. Nobody should ask you to buy gift cards simply to get the codes.

Protect Your Personal Information: Be cautious about how much personal information you provide on shopping websites. Fill out only the mandatory fields at checkout.

Reporting Fraud: Your Action Matters

If you suspect or fall victim to online fraud, it's crucial to report it promptly. This not only helps in potentially recovering any losses but also aids in preventing others from being victimized. Here's how you can report:

UVM Police Services: If you believe the fraudulent activity is related to or has affected your work or study at UVM, immediately report it to the UVM Police Services. They can provide guidance and assistance. Contact them at UVM Police Services at 802-656-3473.

Vermont Office of the Attorney General: For broader concerns, especially those involving consumer fraud or identity theft, the Attorney General’s Office is a valuable resource. They offer guidance on the next steps and can take appropriate action. Visit their Consumer Protection page at Consumer Information | Office of the Vermont Attorney General.

Federal Trade Commission (FTC): The FTC also handles complaints about identity theft, scams, and fraudulent business practices. Filing a complaint can be done online at ReportFraud.ftc.gov.

Conclusion: In the digital realm, your caution is your best protection. By staying informed and vigilant, you can enjoy the convenience of online shopping without compromising your security. Let’s all commit to making our online shopping experiences at UVM safe and secure this holiday season.

Remember, cybersecurity is a shared responsibility – your actions can help keep not only you but also our entire UVM community safer.

Celebrating Cybersecurity Awareness Month at UVM!

Body

October marks the annual Cybersecurity Awareness Month and here, at the University of Vermont, we're committed to fostering a safer digital environment for everyone. This event, championed by the Cybersecurity and Infrastructure Security Agency (CISA), emphasizes the collective responsibility we share in protecting our online spaces.

As you navigate the digital realm, whether for study, work, or leisure, remember these four essential tips:

  1. Stay Updated: Regularly update your software, apps, and devices. Cyber attackers often exploit known vulnerabilities, but updates can shield you from many common threats.
  2. Think Before You Click: Beware of unsolicited communications and never click on suspicious links or download dubious attachments. Phishing scams thrive on hasty decisions. Report suspected scams and phishing to abuse@uvm.edu.
  3. Protect Your Personal Info: Your personal data is valuable; guard it like treasure. Always use strong, unique passwords and avoid registering for non-University affiliated sites with your uvm.edu address.
  4. Enable Multi-factor Authentication (MFA): Using MFA adds a layer of security to all your transactions. Financial, medical, and personal information are all worth a little extra effort to protect.

By implementing these steps, you're not only securing your own digital space but also contributing to a safer UVM community. More information can be found at CISA’s Cybersecurity Awareness month.