DoIT Alerts

Hello UMBC Community!

The Cybersecurity Assurance and Digital Trust Department in the Division of Information Technology has some tips for you to stay safe from financial scams that have recently taken place.

Attackers send phishing emails to trick unsuspecting victims into providing their user ID, password, and multifactor codes. Often, these phishing lures contain a link that redirects the user to a login page.

DoIT has observed cases where the attackers are mirroring legitimate login screens to capture credentials and multifactor authentication (MFA) codes in real time. The only indicator that something is amiss is the URL in the address bar.

Follow these general tips to safeguard your financial data and funds:

1. Use Strong & Unique Passwords: Never reuse your UMBC password on other platforms — including financial services such as BankMobile. Create unique passwords for each separate account.
2. Periodically Verify Your Personal Information: Log into your accounts and make sure all your information, such as linked financial accounts, billing address, phone number, and email addresses are correct.
3. Check the Link: Look over URLs and ensure you are accessing a trusted service. If you see a login page but the URL does not look legitimate, do not provide your password or MFA codes. It is best practice to bookmark trusted services to navigate to them directly.
4. Don't Give Away Your Secrets: UMBC and your financial institutions will never call, email, or text you to ask for your password or MFA codes.

If you give someone your password and MFA codes, you are handing them the keys to your account. This could result in financial loss or unauthorized activity for which you may be held responsible.

If you see something, say something! Report all phishing emails to security@umbc.edu.

 

Stay smart, stay safe!

Hello UMBC Community!

The Cybersecurity Assurance and Digital Trust Department in the Division of Information Technology has some tips for you to stay safe from financial scams that have recently taken place.

Attackers send phishing emails to trick unsuspecting victims into providing their user ID, password, and multifactor codes. Often, these phishing lures contain a link that redirects the user to a login page.

DoIT has observed cases where the attackers are mirroring legitimate login screens to capture credentials and multifactor authentication (MFA) codes in real time. The only indicator that something is amiss is the URL in the address bar.

Follow these general tips to safeguard your financial data and funds:

1. Use Strong & Unique Passwords: Never reuse your UMBC password on other platforms — including financial services such as BankMobile. Create unique passwords for each separate account.
2. Periodically Verify Your Personal Information: Log into your accounts and make sure all your information, such as linked financial accounts, billing address, phone number, and email addresses are correct.
3. Check the Link: Look over URLs and ensure you are accessing a trusted service. If you see a login page but the URL does not look legitimate, do not provide your password or MFA codes. It is best practice to bookmark trusted services to navigate to them directly.
4. Don't Give Away Your Secrets: UMBC and your financial institutions will never call, email, or text you to ask for your password or MFA codes.

If you give someone your password and MFA codes, you are handing them the keys to your account. This could result in financial loss or unauthorized activity for which you may be held responsible.

If you see something, say something! Report all phishing emails to security@umbc.edu.

 

Stay smart, stay safe!

 

Hello UMBC Community,

In the digital world, Phishing is one of the most used forms of cyber trickery where attackers impersonate trusted sources to deceive you into handing over credentials or personal information. These attacks come in various forms. Learning about them will help you not fall victim to those emails.

Phishing attacks are emails that may look like important messages but are actually crafted by cyber criminals. The good news? With the right knowledge, you can foil their tricks and keep yourself and UMBC safe. These are some tips on how you can recognize phishing emails:

1. Requests for Your Password: UMBC will never ask for your password. Never submit your password on Google forms or Monday.com forms. Your password is for your eyes only!

2. Unexpected Calendar Invitations: Watch out for calendar invites from unknown senders. Delete them and never click suspicious links inside.

3. Fraudulent Offers: Be wary of unsolicited offers for gift cards or jobs that are too promising. Do not send your personal or financial information to anyone who requests it over email or text. Real job postings are on Handshake only!

4. Unexpected Attachments or Links: Did someone send you a weird file or link you weren't expecting? Is a link in an email suspiciously short or strange-looking? If it feels off, don't click or download it.

5. A Sense of Urgency: Phishing emails often try to rush you into action, like claiming your account will be "deactivated" if you don't click a link immediately. Always be suspicious of urgent, high-pressure requests.

6. Poor Grammar and Spelling: While not always a giveaway, many phishing emails contain noticeable spelling errors or awkward phrasing.

What to do if you get a suspicious email:

If you suspect an email is a phishing attempt, do not reply, click any links, or open any attachments. Instead, forward the email immediately to the security team at security@umbc.edu. Your report helps protect everyone!

Stay vigilant, and together we can keep our digital environment safe.

• Attached Newsletter for Don't Take the Bait! How to Spot a Phishing Scam
• Attached Image for Don't Take the Bait! How to Spot a Phishing Scam

Phishing

Phishing is the use of deception to acquire passwords, credit card numbers, or other sensitive information from a user. There are many phishing mediums including SMS messages (Smishing), voice calls (Vishing), and email which is the most common phishing medium. Within emails, users should be wary of malicious URLs or attachments.

 

Phishers typically pose as a trusted entity, such as a system administrator or service provider, in order to scam their victims. Often, these messages will ask for the user to communicate in some other means; for example, a message may request that a victim send an SMS message to a specific number or reply using a personal email address. These messages will also imply some sense of urgency for the request, thus leading an unsuspecting victim to react quickly without first asking themselves whether or not the message is legitimate.

Recent examples of phishing scams at UMBC: 

• Fake job offers 

• Google forms requesting usernames and passwords

• Gift card scam 

To spot phishing emails, look out for the following:

Unexpected messages making unexpected requests

Does this email or direct message come from an unfamiliar sender who claims to know you, or a friend who you have not spoken to in a long time? Does the list of recipients contain people you don’t know or talk to? This is particularly true if the message asks for money or personal information.

An urgent tone

If the sender says you must act now and uses fancy jargon or other intimidating language, ask yourself why.

An offer that’s “too good to be true”

It probably is, especially if important information like an employer’s address or a product’s shipping information is nowhere to be found.

Phishy Links and Email Addresses

Hyperlinks and sender emails appear to correspond to known domains and people, but something, sometimes a single letter, has been changed. This may require close examination; look for misspellings, dashes, or other deviations from what seems to be a legitimate domain.

Valid name, but strange domain in email address

For example, UMBCPayroll@gmail .com, umbcpresident@yahoo .com, or financialaid413@hotmail .com

An email requests your password, your credit card number, or other sensitive information

Email is never secure for sharing this type of information, and most trusted services should already have it. On sites that ask you to provide personal information like your credit card, look for “https” in the address bar to ensure the site is secure. UMBC will never request your password in an email.

Request for a cell phone number

In many recent phishing messages, the hacker requests that you send them your cell phone number so that they can ask you a question.  Why would a legitimate person needing assistance not just ask you the question in the email message, rather than asking for your phone number?

A prompt to open an attachment or follow a link

Critically examine any email with an attachment, especially an unexpected one. If the link prompts you to “Sign In” to an account, be extra suspicious. Do not “Enable Macros” or allow similar permissions for attachments you do not trust.

The time zone/send time of the message is unusual

For example, why would a member of the University community be sending a message with a time zone that is appropriate for Eastern Europe?  Is it suspicious for a UMBC community member to send an email message at 3 am?

Something “off”

Phishing emails often have an impersonal, awkward, unprofessional, or out-of-character tone. Many - but not all - phishing emails contain conspicuous typos, bizarre capitalization, strange grammar, or numbers used in place of letters.

Report

If you have any questions about whether or not the mail you've gotten is legitimate, please contact the DoIT Security Department at security@umbc.edu.