The media continues to publish accounts of stolen identities, credit cards, bank accounts and even paychecks. Rarely does a week go by without a new revelation of cyber-crime. While the headline stories focus on millions of compromised credentials from corporate information systems, the common factor in most cyber-crimes is identity theft.
A thief with a system administrator’s ID and password has the keys to that kingdom. A thief with YOUR credentials has the same keys to your life. Your paycheck, your email, your grades, your credit rating. The single most effective weapon you have to protect yourself is COMMON SENSE.
A story to illustrate the point: At a peer institution, several hundred targeted employees received a credible ‘pixel-perfect’ email from the University that their account had been compromised and please click here to change your password. Thirty-three faculty members clicked on the link and followed the instructions. Come payday a few days later, 13 of those 33 (the highest paid in the group) found their customary payroll deposit missing. Investigation revealed that the stolen logon credentials had been used to change the direct deposit bank accounts of those individuals and divert their pay into intermediate money-laundering accounts.
The University in question had a control procedure in place to notify employees of bank account changes by email. However, by virtue of the stolen credentials, the perpetrators also logged into the target email accounts and erased that communication. As if this weren’t brazen enough, another nearly perfect follow up email was sent to reassure the victims that the situation was being taken care of. Wow!
Please do not click on or respond to any message that asks for credentials or personal information. University systems will never ask for individual login, password or other personal information via email.
The root cause of all this? Falling for the initial spear-phishing email. “Spear” means targeting the attempt at a specific population; in this case faculty members. While your administrative system custodians and security officers strive to protect us from ourselves, the strongest link in the security chain should be YOU.
If you are in doubt, assume a contact is fraudulent. If the subject appears important enough for further attention, validate that by other means.
Many phishing emails are blocked at our email gateways, but some inevitably get through. If you have reason to believe that you may have been victimized, contact your campus Help Desk or Information Security Office immediately.
Let us know if you have any questions: servicedesk@nebraska.edu | 472-7373 | 877-472-7694
This article has been approved for distribution by Marc Chauche, Assistant Vice Chancellor-Financial Services.