Spring 2016 Quarterly Information Security Reminder

NU Logo

 

 

 

Dear Members of the Northeastern Community,

This edition includes some quick recommendations for securing your personal information while on and off campus, along with reminders about your responsibilities around protecting sensitive university and student information.

Spring 2016 Information Security Tips:

Spring Forward

Daylight Savings Time begins at 2 a.m., Sunday March 13, 2016. Remember to set your clocks forward one hour. And while most computer and electronic systems will automatically make the change, it is always a good idea to verify that it has occurred correctly to ensure proper functionality.

Are you Truly Ready for Tax Season Scams?

Tax season is upon us, and government and law enforcement entities have reported an uptick in the number, and sophistication of tax fraud schemes targeting the public. Did you know that the IRS reported a 400% increase in the number of false tax refund claims in just the past few months? One way to keep this from happening to you is to ensure that you protect your personal information, and to use only reputable and certified tax preparers. Your fees for tax preparation should never be tied to the amount of your refund. All tax preparers will also have a preparer tax identification number (PTIN), which can be checked at http://www.ptindirectory.com/. Also keep in mind that the IRS will never contact you by telephone if there are issues with your returns, or if they need information. They will always send information by U.S. mail, and only by email if you have requested and provided them with an address. Do not respond to any contact that is threatening or attempts alarm you (threatening audits etc). Always contact the IRS through their official website (www.irs.gov) or call for telephone assistance.

 Appropriate Use

All users of Northeastern University computer resources are required to read and abide by the Appropriate Use Policy. This year’s policy has been updated to include changes in wireless coverage on campus. Be on the lookout for the new format in upcoming publications of the Student Handbook, as well as on Information Technology Services web pages.

Hold Your Password Close

Northeastern University WILL NEVER ASK FOR YOUR PASSWORD.  Any email you receive claiming to need your login and password is spurious and should be deleted without replying. If you have given a Northeastern password to another person, change the relevant password immediately. Each of us at the university is held responsible for all activity conducted under our user ID and password.

A Statement of Privacy

Did you know that the university has created a new Privacy Statement? The statement replaces the old myNeu Privacy Policy and the link can be found in the footer of the Northeastern main webpage. This statement details the ways Northeastern collects and uses information it collects as you interact with its online systems. This will be adopted by all web resources which represent the university and should been seen as the authoritative source.

Protection of Sensitive Information / Regulatory Compliance:

Social Security Numbers, dates of birth, grades, non-public personal financial information, protected health information, and other similar types of sensitive information are to be protected at all times from unauthorized disclosure and/or use, consistent with applicable University policies and/or applicable Federal laws, including the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act  (HIPAA), the Financial Services Modernization Act (also known as Gramm-Leach-Bliley), the CAN-SPAM Act of 2003, and Massachusetts Data Security Regulation MA201 CMR17.00. Personal information of members of the Northeastern community, including but not limited to students, faculty and staff, may not be posted or maintained on public networks or sites, unless the user fully complies with applicable laws and regulations governing handling of personal information.

Compliance with Copyright Law and Software Licensing Agreements:
All members of the community are required to comply with copyright law and software licensing agreements. In addition, all software installed on University-owned devices shall be the product of legal copies, and shall be properly licensed at all times. University resources shall not be used to offer, exchange or store copyrighted materials nor the indexes pointing to such materials, unless the use is in compliance with copyright law or other applicable regulation. All use of file-sharing technologies shall be in strict compliance with University policy and copyright law.

Responsibilities under Regulation:

Our responsibilities under regulation includes, among other reasonable steps, that we refrain from displaying or listing sensitive information in public venues such as hallway bulletin boards, office doors, globally shared computer files, and publicly-accessible web sites, that we observe privacy practices, and that we use appropriate safeguards to protect sensitive information and information-bearing devices from unauthorized access, alteration, theft or loss. These responsibilities include taking appropriate steps to ensure confidential/sensitive paperwork is properly discarded, that mobile devices are appropriately protected from loss or theft, and that computer disk drives and information storage devices are properly processed to remove sensitive information prior to reallocation or disposal.

Consequences Arising from Unauthorized Disclosure or Loss of Sensitive Information:

The potential consequences of unauthorized disclosure or loss of sensitive information may include for the individual, loss of privacy, identity theft, financial loss, erosion of customer confidence, and for the University, damage to reputation, civil penalties, and regulatory sanction. By recognizing the value in protecting sensitive information, the University is better positioned to avoid these consequences, maintain customer trust, and enjoy a reputation more demonstrative of the University comment to excellence and distinction, and other goals to which the University aspires.

Requirement to Read and Comply with the Appropriate Use Policy (AUP):

The Appropriate Use Policy describes policies for use of all computers, networks and telecommunications facilities at the University. All members of the University community are required to read and comply with the AUP, which can be read at www.Northeastern.edu/aup. Use of University computer/telecommunication networks and/or computers, implies agreement with the terms of the Appropriate Use Policy.

Shared Responsibility

Security is a shared responsibility. Do your part to help promote a safer and more secure computing environment by observing and supporting secure practices in your academic or business unit. If assistance is required, please contact OIS@neu.edu

Posted in Uncategorized | Comments closed

Don’t Get Sucked in by Tax Scams

Don’t Get Sucked in by Tax Scams

Each year the looming deadlines of the U.S. tax season heralds a new spate of tax fraud scams, and this year is no different. Fraudsters like to take advantage of your stress and heightened emotions to trick you into taking actions, which under normal situations, you would not normally take.

  • Phone Scams – These have become increasingly aggressive over the past years. Callers will claim that there may be a pending audit and that only a credit card payment can stop the process, or that there is a pending refund and an account number is needed to deposit the funds.
  • Email Scams – These emails range from purporting to be the IRS, tax preparers, electronic W2 providers, banks or state tax authorities. They will often request information including Social Security Numbers and financial data.
  • Mail Fraud – While the majority of people now receive their tax refunds electronically through direct deposit, if you still receive a refund check through the mail you are vulnerable to mail fraud. Scammers know that IRS payments are sent in batches and will often dip into mailboxes looking for tell-tale IRS envelopes.
  • Identity Theft – If your identity details have already been stolen fraudsters may leverage this information during tax season. The IRS has seen a huge increase in false IRS claims over the past few years, where the perpetrators file for a refund under your identity.
  • Tax Preparer Fraud – Ensure that you only use a licensed tax preparer service. A licensed preparer will have a specific credentialed ID number that you can verify. Beware of services offering ‘free’ services or services where their fee is based on the amount of your refund

Many of the precautions for these scenarios are the same ones that Northeastern’s Office of Information Security advocate all year long:

  • Watch for language in emails that is inflammatory, and tries to urge you into action to avoid “dire” consequences.
  • Use the “hover for cover” technique – float your mouse cursor over the link to reveal the URL and see where you are going to be taken.
  • Only access your accounts through their main site link. If you use an online tax preparation service, use that main page link to connect. There are scams now which will send emails which will direct you to legitimate sites, but your internet traffic passes through the fraudster’s systems, capturing all your information as it goes to the legitimate site.
  • Electronic W2s – If you receive your W2 in an electronic format only download them on a private computer on a network that you know is secure, i.e. your home network. Remember that when you download this form an electronic copy may be cached on the computer and discoverable by someone else who has access to that machine.
  • Beware of attachments – Take extra caution when opening email attachments from strangers (pdf, doc) containing “tax documents” as they may include malware.

If you believe you are a victim of tax fraud, please reach out to the IRS for assistance:

How to Report Suspected Tax Fraud Activity
FTC Identity Theft Assistance

Posted in Uncategorized | Comments closed

Phishing in the New Year

Follow us on Twitter @securenu for the latest security bulletins and alerts.

Its 2016 and criminals have not stopped trolling the waters for usernames and passwords. Today the following phishing message was sent to members of the Northeastern community. If you have clicked on the link in the email and entered your myNEU username and password please contact the Service Desk (x4357) immediately. Please delete this message from your inbox.

phish

Follow us on Twitter @securenu for the latest security bulletins and alerts.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Phish Tank Contest – DAY 5

From: ITS Service Desk <northeastern@service-now.com>
Sent: Friday, October 30, 2015   2:55 PM
To: OIS@neu.edu
Subject: We have received your Northeastern myHelp incident INC0129989

Hi OIS,

We have received your request for assistance. You should hear back from us within one business day. Should you need help sooner, please call the Information Technology Services Customer Service Desk at: 617-373-4357.

Your request was assigned a ticket number of INC0129989 with a description of “Phishing e-mail”. The details of your request are available at the following link: LINK

Thank you,

Information Technology Services
Customer Services

helpKnowledge Base — 24×7 Answers to your Northeastern Technology Questions.

 

lockNortheastern University will never request details of your password or account by email at any time. 

Email Notification: Incident Opened

Ref:MSG3136961

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed

Phish Tank Contest – DAY 4

From: Internal Revenue Service [mailto: info@IRS.com]
Sent: Thursday, October 29, 2015   1:54 PM
To: OIS@neu.edu
Subject: Tax Notification: Information on your Refund

irs

May 12, 1015
Reference: IKH98348HP

Dear Taxpayer,

We’ve identified an error in the calculation your tax refund amounting to $518.95.
In order for us to expedite the return of the excess payment, please create an e-Refund account.
Please click the link below to begin.

Get Started

Sincerely,
Internal Revenue Service

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed

Phish Tank Contest – DAY 3

From: Bank of America [mailto: bnkofmerica@customersupport.org]
Sent: Wednesday, October 28, 2015   3:34 PM
To: OIS@neu.edu
Subject: Personalized Options Available with Bank of America

Untitled-3

We have payment options to help you get back on track.

Your account ending in 1234 is currently one payment(s) past due.
We understand that unexpected circumstances cangirloncomp
cause financial difficulty and we may have options to
help make your future payments more manageable.
If you already made your payment,
thank you. If you haven’t made your payment,
please see the variety of convenient options
available to you:

  • Pay over the phone by calling us toll-free
    at 888.554.6000, 24 hours a day, seven days a week.
  • Make your payment online or view your account details by visiting us here
  • Enroll in our Automatic Payment Center by visiting us here
    Since it can take up to two statement cycles for automatic
    payments to take effect, it’s important to make any
    payments that are due in the interim, as you normally
    would until you see Auto Pay Active appear on your
    statement. Once automatic payments have been activated,
    you will see Auto Pay Active in the “Important Messages”
    section located just below your statement transactions.
    If you aren’t able to go online, please call us at the number
    listed below and we will be happy to mail you an
    enrollment form.
  • Mail your payment to Bank of America, PO Box 15019,
    Wilmington, DE 19850-5019. Please be sure to write your
    account number on the front of your check or money order.
    To avoid possible postal delays, we suggest mailing your
    payment several business days before the payment due date.

If you’re unable to make your regular payment, Bank of
America may be able to provide you with options to assist in
repaying the debt. By contacting us today, we may be able to work
out a short or long-term solution that meets your financial needs.
These solutions may provide a lower monthly payment.

Please call us toll-free at 1.888.554.6000. Our associates are
available Monday through Thursday, 8 a.m. to Midnight,
Friday, 8 a.m. to 11 p.m., Saturday, 8 a.m. to 7 p.m., and
Sunday, Noon to 9 p.m. Eastern
.

If prompted when calling, please use this unique priority code 80103
to access your account.

Sincerely,

Bank of America

 

 

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed

Phish Tank Contest – DAY 2

From: PayPal@smtp.domain.net
Sent: Tuesday, October 27, 2015   9:30 AM
To: OIS@neu.edu
Subject: PayPay ® Account Review Department
pp

Dear PayPal® Customer,

We recently reviewed your account, and we suspect an unauthorized transaction on your account.

Protecting your account is our primary concern. As a preventative measure, we have temporarily limited your access to sensitive information.

To ensure your account is not compromised, simply click the Resolution Center link to confirm your identity.

  • Login with your Paypal username and password
  • Confirm your account information and credit card number

Please confirm account by accessing the Resolution Center and
complete the “Steps to Remove Limitations”

*Please do not reply to this message. Mail sent to this address cannot be answered

Copyright © 1999-2015 PayPal. All rights reserved.

 

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed

PHISH TANK CONTEST – DAY 1

From: Blackboard Learning ITS [mailto: fakeblackboardneu@gmail.com]
Sent: Monday, October 26, 2015   10:18 AM
To: OIS@neu.edu
Subject: (Blackboard Learning) You have two important messages from Faculty.

bb
Dear Student:

Your Faculty Administrator has left two importint message’s for you on your Blackboard Learning Area.

Click or paste the follow URL to view your message’s.

www.neu.blackboard.edu/inbox

Note: the URL will expire in 10 minutes

Blackboard Learning ITS.

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed