Protect Yourself 

Scammers regularly send phishing emails in which they impersonate trusted officials and experts in emails to target faculty, staff, and students at universities

You may not think you have much in your computing account that a criminal could want, but you do. Your U-M account provides access to valuable services and resources. Here are just a few examples:

• Library access. You have access to licensed journals and other materials that criminals can sell on the black market.

• A university email account. People tend to trust emails sent from educational institutions with addresses that end in .edu. Criminals can use compromised email accounts to send spam and phishing emails.

• Your personal information. You can log in to Wolverine Access to see and update personal information such as your address, emergency contacts, tax information, and paycheck direct deposit details.

• Money. Criminals try to trick people into sending money by making the request appear to be for a university financial transaction. Be suspicious of unexpected requests for payment via wire transfer or gift card.

• Access to online storage and other services. You have access to Google Drive at SU, specialized software, and more.

• Special access. Managers have access to information about the employees who report to them. Researchers have access to cutting-edge research data. System administrators have privileged access to SU systems.

• Network access. You have access to on-campus networks and the SU VPN. This gives you access to resources and services that are limited to those connecting from SU networks.

Targeted Phishing Emails Based on Public Information

As a public institution, the university publishes contact information on many college, school, department, and unit websites. Scammers:

1. Find organizational web pages with contact addresses, names, and email addresses, and postings on social media with names and addresses to use.

2. Set up free email accounts using those names.

3. Send messages to the groups and individuals they found online. The emails might ask for help making a payment or for information for a report.

For example, a scammer could look online to find out who the dean of our school is, create a free email account using a version of the dean's name, and then send emails from that account to individual faculty and staff members in that school asking that they arrange for a wire transfer to cover a fake expense.

Vishing, short for "voice phishing," is a type of social engineering attack conducted over the phone or through voice communication channels. In a vishing attack, scammers use various tactics to manipulate individuals into divulging sensitive information such as personal identification details, account credentials, or financial information.

Here's how vishing typically works:

• Impersonation: The attacker pretends to be someone trustworthy, such as a representative from a bank, government agency, or tech support team. They may use spoofing techniques to manipulate caller ID displays to make it appear as if the call is coming from a legitimate source.

• Urgency or Threats: The attacker creates a sense of urgency or threat to pressure the victim into taking immediate action. They may claim that there is a problem with the victim's account, a suspicious transaction, or a legal issue that requires immediate attention.

• Information Gathering: The attacker engages the victim in conversation and attempts to gather sensitive information by asking for personal details, account numbers, passwords, or verification codes.

• Social Engineering Tactics: The attacker may employ social engineering tactics to establish rapport with the victim and gain their trust. This could involve using persuasive language, providing false assurances, or exploiting emotions such as fear or concern.

• Manipulation: The attacker manipulates the victim into following their instructions, which may involve providing sensitive information, transferring money, or installing malicious software on their device.

Catching a visher, or a perpetrator of vishing (voice phishing), can be challenging but is not impossible. Here are some steps you can take to potentially catch a visher:

• Record the Call: If you receive a suspicious call that you suspect may be a vishing attempt, consider recording the call if it is legal to do so in your jurisdiction. Many smartphones have built-in call recording features, or you can use third-party apps for this purpose. Make sure to check the laws regarding call recording in your area before proceeding.

• Engage with the Caller: While on the call, engage with the caller and ask probing questions to gather information about their identity and the purpose of the call. Be cautious not to provide any personal or sensitive information yourself. The more information you can gather about the caller, the better chance you have of identifying them later.

• Take Note of Caller Details: Pay attention to details about the caller, such as their voice, accent, background noise, and any information they provide about themselves or their organization. Note down any phone numbers, names, or other identifying information they provide.

• Report the Incident: After the call, report the incident to the relevant authorities, such as your local law enforcement agency, the Federal Trade Commission (FTC), or your phone carrier. Provide them with as much detail as possible about the call and any information you gathered about the caller.

• Share Information: Share information about the vishing attempt with your friends, family, and colleagues to raise awareness about the scam and help prevent others from falling victim to similar attacks. You can also share information on social media platforms or online forums dedicated to discussing scams and frauds.

• Cooperate with Authorities: If the authorities decide to investigate the incident further, cooperate with them and provide any additional information or evidence you may have. This may include providing the recorded call, providing witness testimony, or assisting with any other aspects of the investigation.

• Be Proactive in Prevention: Take proactive measures to prevent vishing attempts in the future, such as implementing call screening or blocking features on your phone, educating yourself and others about common vishing tactics, and being cautious when sharing personal information over the phone.

While catching a visher may not always lead to immediate consequences, reporting the incident and providing information to the authorities can help in combating vishing scams and protecting others from falling victim to similar attacks.

To protect yourself from voice phishing (vishing) attacks, consider the following tips:

• Be Skeptical of Unsolicited Calls: Be cautious when receiving unsolicited calls, especially those that request personal or sensitive information. If you receive a call claiming to be from a bank, government agency, or other organization, be wary and verify the caller's identity independently.

• Verify Caller Identity: If the caller claims to be from a legitimate organization, ask for their name, position, and contact information. Hang up and independently verify their identity by calling the organization's official phone number from their website or other trusted sources.

• Never Share Personal Information: Never provide personal information such as Social Security numbers, account numbers, passwords, or verification codes over the phone unless you are certain of the caller's legitimacy. Legitimate organizations typically do not request sensitive information over the phone.

• Don't Trust Caller ID Alone: Caller ID can be spoofed to make it appear as if the call is coming from a trusted source. Do not rely solely on caller ID to determine the authenticity of a call.

• Be Wary of Urgency or Threats: Be suspicious of calls that create a sense of urgency or make threats to pressure you into taking immediate action. Scammers often use fear tactics to manipulate victims into providing information or making hasty decisions.

• Protect Personal Information: Be cautious about sharing personal information on social media or other public platforms, as scammers may use this information to personalize their vishing attacks.

• Use Two-Factor Authentication (2FA): Enable two-factor authentication on your accounts whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device, in addition to your password. Learn about 2FA 

• Educate Yourself and Others: Stay informed about common vishing tactics and educate yourself and others about how to recognize and avoid vishing attacks. Share information and tips with friends, family, and colleagues to help them protect themselves.

• Report Suspicious Calls: If you receive a suspicious call, report it to the appropriate authorities, such as your phone carrier, the Federal Trade Commission (FTC), or your local law enforcement agency. Reporting suspicious calls can help authorities track and prevent vishing scams.

By staying vigilant and following these tips, you can protect yourself from falling victim to voice phishing (vishing) attacks and safeguard your personal and sensitive information.

Recognizing and avoiding phishing attempts, whether they come through emails, texts, or calls, is crucial for protecting your sensitive information. Here are some key strategies for recognizing and avoiding phishing attempts across different communication channels:

Emails:

• Check the sender's email address: Phishing emails often use email addresses that mimic legitimate organizations but have slight variations or misspellings. Always verify the sender's email address before interacting with the email.

• Look for generic greetings or urgent language: Phishing emails often use generic greetings like "Dear Customer" instead of addressing you by name. They may also use urgent language to pressure you into taking immediate action, such as claiming your account will be closed if you don't respond.

• Hover over links before clicking: Hover your mouse cursor over links in emails to preview the URL without clicking. If the link doesn't match the expected website or looks suspicious, do not click on it.

• Watch out for attachments: Be cautious when opening email attachments, especially if they come from unknown or unexpected sources. Malicious attachments can contain malware or viruses that compromise your device's security.

• Verify requests for sensitive information: Legitimate organizations typically don't ask for sensitive information like passwords, Social Security numbers, or financial details via email. If you receive such a request, independently verify it through official channels before responding.

Text Messages:

• Be wary of unknown numbers: If you receive a text message from an unknown number claiming to be from a legitimate organization, be cautious. Phishing texts often contain links or prompts to reply with sensitive information.

• Avoid clicking on links: Just like with phishing emails, avoid clicking on links in text messages from unknown sources. These links may lead to phishing websites designed to steal your information.

• Watch for unusual requests: Phishing texts may contain unusual requests or offers designed to lure you into providing personal information or clicking on malicious links. If something seems too good to be true or out of the ordinary, it's likely a phishing attempt.

• Don't respond to suspicious messages: If you receive a suspicious text message, do not respond or engage with the sender. Simply delete the message and block the number if possible.

Phone Calls:

• Verify the caller's identity: If you receive a phone call requesting sensitive information or making urgent demands, ask for the caller's name and organization. Then, independently verify their identity by contacting the organization through official channels.

• Be cautious with automated messages: Automated phone calls requesting sensitive information or prompting you to press a button to speak with a representative can be phishing attempts. Hang up and contact the organization directly if you're unsure about the call's legitimacy.

• Avoid providing personal information: Never provide personal or sensitive information over the phone unless you initiated the call and are certain of the recipient's identity.

• Trust your instincts: If something feels off about a phone call, trust your instincts and end the call. Legitimate organizations won't pressure you into providing sensitive information or making immediate decisions over the phone.

Overall, staying vigilant and following these best practices can help you recognize and avoid phishing attempts across different communication channels, protecting your sensitive information from falling into the hands of cybercriminals.

Understanding the importance of strong, unique passwords and knowing how to create and manage them securely is crucial for protecting your sensitive information and accounts from unauthorized access. Here are some steps you can take to achieve this:

• Use Complex and Unique Passwords: Create passwords that are complex, including a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable information like your name, birthdate, or common words. Additionally, ensure that each of your passwords is unique, meaning you use different passwords for each of your accounts.

• Length Matters: Aim for longer passwords, as they are generally more secure. A passphrase consisting of multiple words or a string of random words can be easier to remember and harder for attackers to crack than a short, complex password.

• Consider Using Password Managers: Password managers are tools designed to securely store and manage your passwords. They can generate strong, unique passwords for each of your accounts and store them in an encrypted vault. You only need to remember one master password to access all your stored passwords. Popular password managers include LastPass, Dashlane, and 1Password.

• Enable Multi-Factor Authentication (MFA): Whenever possible, enable multi-factor authentication for your accounts. MFA adds an extra layer of security by requiring you to provide additional verification, such as a one-time code sent to your mobile device, in addition to your password. This makes it significantly harder for attackers to gain unauthorized access to your accounts even if they obtain your password.

• Regularly Update Your Passwords: Periodically change your passwords, especially for accounts that contain sensitive information or are critical to your online security. This helps mitigate the risk in case your password is compromised in a data breach or through other means.

• Beware of Phishing Attempts: Be cautious of phishing attempts that aim to trick you into revealing your passwords or other sensitive information. Avoid clicking on suspicious links or providing your password in response to unsolicited emails, texts, or calls.

• Secure Your Devices: Ensure that your devices, including computers, smartphones, and tablets, are protected with strong passwords or biometric authentication methods (such as fingerprint or face recognition). This prevents unauthorized access to your devices and the sensitive information stored on them.

• Educate Yourself and Others: Stay informed about the latest security best practices and educate others, such as family members and colleagues, about the importance of strong, unique passwords and how to create and manage them securely.

By following these steps and adopting good password hygiene practices, you can significantly enhance the security of your online accounts and protect your sensitive information from unauthorized access.

Here are some tips for safe browsing and online shopping to avoid malicious websites and scams:

• Use Secure Websites: When shopping online, make sure you're on a secure website before entering any personal or financial information. Look for "https://" at the beginning of the website URL, as well as a padlock icon in the address bar, indicating that the website uses encryption to protect your data.

• Shop from Trusted Sources: Stick to reputable and well-known online retailers and marketplaces. Be cautious when purchasing from unfamiliar websites, especially if they offer deals that seem too good to be true.

• Keep Software Updated: Ensure that your web browser, operating system, and antivirus software are up to date with the latest security patches. This helps protect against known vulnerabilities that could be exploited by malicious websites.

• Use Strong, Unique Passwords: As mentioned earlier, use strong, unique passwords for your online shopping accounts. Avoid using the same password across multiple accounts to prevent a single breach from compromising all of your accounts.

• Beware of Phishing Emails and Links: Be cautious of unsolicited emails or messages that prompt you to click on links or download attachments. These could be phishing attempts designed to trick you into revealing personal or financial information. Avoid clicking on suspicious links and verify the legitimacy of the sender before taking any action.

• Verify Website Authenticity: Before making a purchase, verify the authenticity of the website by checking for reviews, looking up the website's contact information, and confirming that it has a legitimate physical address and customer service channels.

• Use Secure Payment Methods: Whenever possible, use secure payment methods such as credit cards or payment services like PayPal, which offer buyer protection and encryption for transactions. Avoid entering your credit card information on websites that don't use encryption or have suspicious payment processes.

• Be Cautious of Public Wi-Fi: Avoid making online purchases or accessing sensitive information when connected to public Wi-Fi networks, as they may not be secure. If you need to shop online while on the go, use a virtual private network (VPN) to encrypt your internet connection and protect your data.

• Check for Website Security Seals: Look for trust seals and security certifications on websites, such as SSL certificates, PCI compliance badges, or trust seals from reputable organizations. These indicate that the website has implemented security measures to protect your information.

• Monitor Your Accounts: Regularly monitor your bank and credit card statements for any unauthorized transactions. Report any suspicious activity to your financial institution immediately.

By following these tips and staying vigilant while browsing and shopping online, you can reduce the risk of falling victim to malicious websites and scams.

https://staysafeonline.org/

Protecting your privacy and security on social media platforms is crucial in today's digital age. Here are some tips to help you safeguard your information and avoid falling victim to social engineering attacks:

• Review Privacy Settings: Regularly review and adjust the privacy settings on your social media accounts to control who can see your posts, photos, and personal information. Limit the visibility of your profile to only friends or connections you trust.

• Be Cautious with Friend Requests and Connections: Be selective about accepting friend requests or connection requests from people you don't know personally. Scammers may create fake profiles to gather information or perpetrate social engineering attacks.

• Think Before You Share: Be mindful of the information you share on social media. Avoid posting sensitive personal information such as your home address, phone number, financial details, or travel plans. This information can be exploited by cybercriminals or used in social engineering attacks.

• Beware of Phishing Attempts: Be cautious of messages or emails on social media platforms that ask for personal information or prompt you to click on suspicious links. These could be phishing attempts aimed at stealing your login credentials or spreading malware. Verify the authenticity of the sender before responding or clicking on any links.

• Enable Two-Factor Authentication (2FA): Enable two-factor authentication on your social media accounts whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device, in addition to your password.

• Use Strong, Unique Passwords: Use strong, unique passwords for your social media accounts to prevent unauthorized access. Avoid using easily guessable passwords or reusing passwords across multiple accounts.

• Be Skeptical of Requests for Personal Information: Be cautious of requests for personal information, such as your birthday, email address, or phone number, from unknown individuals on social media. Scammers may use this information to impersonate you or attempt identity theft.

• Educate Yourself about Social Engineering Tactics: Familiarize yourself with common social engineering tactics used by scammers, such as pretexting, phishing, and impersonation. Stay informed about the latest scams and techniques used by cybercriminals to manipulate individuals into revealing sensitive information.

• Report Suspicious Activity: If you encounter suspicious activity or believe you've been targeted by a social engineering attack on social media, report it to the platform's support or security team immediately. They can investigate the issue and take appropriate action to protect your account and other users.

• Stay Informed and Updated: Stay informed about the latest privacy and security features offered by social media platforms. Regularly update your apps and devices to ensure you have the latest security patches and protections.

By following these tips and staying vigilant while using social media platforms, you can protect your privacy and security and reduce the risk of falling victim to social engineering attacks.

Protecting personal and business data from loss or theft is essential, and employing data encryption, secure file storage, and backup practices are critical components of a robust data protection strategy. Here's an overview of each:

• Data Encryption:

  • What is Encryption?: Encryption is the process of encoding information in such a way that only authorized parties can access it. It involves using mathematical algorithms to convert plaintext data into ciphertext, which can only be decrypted with the correct decryption key.

  • Types of Encryption: There are two main types of encryption:

    • Symmetric Encryption: In symmetric encryption, the same key is used for both encryption and decryption. Examples include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).

    • Asymmetric Encryption: Asymmetric encryption uses a pair of keys - a public key for encryption and a private key for decryption. Examples include RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography).

  • Uses of Encryption: Encryption is used to protect data in transit (e.g., emails, online transactions) and data at rest (e.g., stored files, databases). It helps safeguard sensitive information from unauthorized access, interception, or theft.

• Secure File Storage:

  • Cloud Storage: Utilize reputable cloud storage services that offer robust security features such as encryption at rest and in transit, multi-factor authentication, and granular access controls. Examples include Google Drive, Dropbox, and Microsoft OneDrive.

  • Local Storage: If storing files locally, encrypt sensitive data using encryption software or built-in operating system encryption features (e.g., BitLocker for Windows, FileVault for macOS).

  • Network-Attached Storage (NAS): Implement NAS devices with built-in security features and access controls to securely store and share files within your network.

• Backup Practices:

  • Regular Backups: Establish a regular backup schedule for both personal and business data to ensure continuity in case of data loss or hardware failure.

  • Multiple Backup Copies: Maintain multiple backup copies stored in different locations (e.g., on-premises, off-site, cloud) to mitigate the risk of data loss due to a single point of failure.

  • Encryption of Backup Data: Encrypt backup data to protect it from unauthorized access during storage and transmission. Many backup solutions offer built-in encryption features.

  • Test Backups: Regularly test backup restoration processes to verify the integrity and accessibility of backup data. This helps ensure that data can be recovered successfully when needed.

By implementing data encryption, secure file storage practices, and robust backup strategies, individuals and businesses can significantly reduce the risk of data loss or theft and safeguard their valuable information.