Advice for Safe Holidays from Information Technology Services

We’ve all heard about—and many of us have been affected by—numerous big data breaches. From the Department of Homeland Security to the Democratic National Committee to Verizon, Dropbox, the University of California, and many others, more than two billion records were stolen in 2016 alone—and the year isn’t over yet. Nearly all major exposures are traced back to successful phishing attacks.

We should be especially vigilant this time of year. The holidays are typically an active time for cybercriminals. They will use the events of the holiday season to send phishing emails that appear to be from trusted sources, but are not. They will try to get you to click on a link that leads to a familiar-looking but dangerous web page that they have created to steal your University or personal log-in credentials, or to install a virus or malware on your computer or hand-held device.

Do not fall for these phishing messages! Their primary purpose is to do bad things to you and your devices.

Remember these tips to protect yourself from phishing attacks:

• Be especially suspicious of emails that arrive the day of, before or after a holiday. Scammers count on these days of low work attendance to avoid detection and to catch you with your guard down.
• Be suspicious of any email from senders you do not know, or that seems out of character for the sender. Verify that the sender is actually who they appear to be before clicking on any links.
• Verify the URL of any link before you click it. Do this by hovering your cursor over the link and examining the URL. If you do not recognize the URL, do not click it.
• Never open attachments you are not expecting unless they are from someone you know.
• Delete any suspicious emails, before opening them if possible.
• Do not enter your username and password (especially your SU NetID) to access any website if you are not 100 percent sure of its validity. In particular, you should be suspicious of email messages that have links to sites that ask you to use your SU NetID and password to log in.
• Remember that nobody at SU will ever ask for your NetID or password for any reason, in any form other than when you are logging into an SU system. Whenever a link in an email leads to a page that looks like a University system (e.g., MySlice, Blackboard), do not log in. Open a new browser window, manually enter the URL of the system in the address window (do not copy the link from the email), and then log in.
• Similarly, nobody working for or representing a University office should call you asking for personal information. If you get such a phone call, ask for an on-campus call back number to verify, and then call them back. All on-campus numbers will start with “315.443-“ or “315.442-“.
• It is highly recommended you do not use your University account credentials (NetID, NetID password, University email addresses) for nonUniversity accounts. A breach of one of those nonUniversity accounts could allow the perpetrators to gain access to sensitive University information. Use a unique password for each of your accounts.
• If somebody does ask for your NetID or password, they are not representing the University or any of its offices. Report any occurrences to itsecurity@listserv.syr.edu or your local IT staff.

If you need more information or assistance with verifying any email messages, please do not hesitate to contact your local IT support team (if you are SU faculty or staff), or the ITS Service Center (if you are a student) at 315.443.2677 or help@syr.edu.

To receive timely notification from ITS of current information security threats follow @SecureCuse and @SU_ITS on Twitter.