Data Privacy and Security

Data Privacy and Security, February 2025

Cybersecurity and Valentine’s Day: A Heartfelt Lesson

a futuristic Valentine scene blending a holographic interface with glowing pink and red hearts orbiting around digital profile displays, in a high-tech glowing environment

Once upon a time, in the bustling city of Clarksville, lived a young woman named Maya.  With Valentine’s Day just around the corner, she wanted to surprise her partner, Alex, with a special gift. She decided to buy an exquisite piece of jewelry from an online store she had discovered through a social media ad. 

Excited, Maya clicked on the link and landed on a beautifully designed website offering a wide array of dazzling jewelry. The prices were unbeatable! Without a second thought, she filled her cart and clicked the checkout button. However, just as she was about to enter her payment details, a little voice in her head reminded her of the cybersecurity tips she’d learned at work.  

“Always verify the authenticity of an online store before making a purchase,” she recalled. Maya decided to take a moment to do some quick research. She checked for reviews of the website, searched for its name on scam alert forums, and even looked for a secure connection indicated by “https” and a padlock icon on the website’s address. 

To her surprise, she discovered that the site had been flagged by multiple users as a scam. Many had reported losing their money and never receiving the items they ordered.  

Determined to find a safe and reliable source for her Valentine’s gift, Maya turned to a well-known online retailer with a solid reputation. This time, she verified all the necessary details, ensuring that the site had a secure connection and excellent customer reviews. She found the perfect piece of jewelry for Alex and completed her purchase with confidence. 

On Valentine’s Day, Maya presented Alex with the beautiful gift, and they both celebrated their love and the smart decision Maya had made. Maya’s caution and vigilance had saved her from a potential cyber disaster. 

A few days later, Maya shared her experience with her friends at a coffee shop. They were astonished at how close she had come to being scammed and praised her for her prudence. Maya explained how easy it was to be lured by attractive deals and how crucial it was to verify the legitimacy of websites before entering personal and payment information. 

Her friends listened intently, and one of them, Jasmine, shared a similar story about how she had almost fallen for a phishing email that claimed she had won a free vacation. The email had looked so convincing, but Jasmine had remembered to check the sender’s email address and the legitimacy of the offer, which saved her from potential identity theft. 

The moral of the story? Always stay vigilant and do your research before making online purchases, especially when buying something special for your loved ones. By following simple cybersecurity practices, you can ensure a safe and happy Valentine’s Day. 

Data Privacy and Security, December 2024, MFA

Merry MFA: A Fictional Tale of Cybersecurity

A person in a festive sweater uses a tablet to make a secure online purchase, emphasizing the importance of online security during holiday shopping

Once upon a time, in the bustling city of Clarksville, the holiday season was in full swing. The streets were adorned with twinkling lights, storefronts showcased festive displays, and the air was filled with the scent of freshly baked cookies. Amidst the holiday cheer, a student named Anita was eagerly preparing to travel to visit her family for the holidays. 

Anita studied information technology and was well-versed in the importance of cybersecurity. However, with the excitement of the upcoming trip and the stress of studying for final exams, she had neglected to check up on the safety of her accounts—until she received an email from her bank regarding a large transaction she didn’t remember making. 

Panicked, Anita immediately logged into her account and saw that someone had tried to access it from a foreign location. The bank’s security measures had fortunately prevented unauthorized access. Realizing the potential danger, Anita knew she needed to take immediate action to protect her hard-earned money—and her identity! 

Anita decided to set up MFA on all her important online services. After securing her bank account, she set up an authenticator app for her university account, ensuring that any login attempts required a code generated by an app on her smartphone. 

As Anita worked through her accounts, she couldn’t help but feel a sense of relief. With MFA in place, she knew that even if someone managed to steal her passwords, they would still need her phone to access her information. The extra layer of protection gave her peace of mind, allowing her to focus on the joy of the holiday season. 

Little did Anita know that on the other side of Clarksville, a notorious hacker named Max was plotting his next big score. Max had spent years perfecting his craft, targeting individuals and businesses during peak times when they were most vulnerable. The holiday season was his favorite time of year, as people were often distracted and less vigilant about their online security. 

Max had stumbled upon Anita’s email address in a data breach and decided to try his luck. He attempted to log into her university email so he could reset her banking password, but each time he was met with a request for a verification code. Frustrated, Max realized that Anita had implemented MFA, making it nearly impossible for him to gain access. He moved on to other, less secure targets. Anita, on the other hand, enjoyed a wonderful holiday season with her family, free from the worry of cyber threats. Anita’s halted holiday hoax had taught her a valuable lesson: in a world where cyber threats are ever-present, taking the time to set up Multi-Factor Authentication is a crucial step in protecting one’s digital life. 

To make sure your accounts are safe and secure this holiday season: 

  • Set up Microsoft Authenticator for your Clark account, especially if you will be traveling internationally. Click here for instructions.
  • Review the security information and authentication factors associated with your account. Click here to learn more. 
  • Keep your passwords safe in a password manager like LastPass.
  • Do not share your passwords with anyone, including ITS.

Data Privacy and Security, October 2024

The Phishing Phantom: A Spooky Story About the Importance of Cybersecurity 

AI image generated using Adobe Firefly

Emma sat at her desk, the soft glow of her computer screen illuminating the darkened room. It was almost Halloween, so it had been a long day at the candy factory, where she worked designing colorful paper wrappers for delicious delicacies. Emma was eager to finalize her design for Frankenfudge before going home. As she sifted through her emails, one particular message caught her eye. The subject line read: “URGENT: Scribble Account Compromised.” 

Emma clicked on the email, which appeared to be from Scribble, the software platform she used to design candy wrappers. The message instructed her to click on a link and log in to update her credentials immediately. The email looked legitimate, complete with Scribbles’ logo. Emma, who had just used Scribble to design the packaging for Frankenfudge and Wicked Witch Wafers, grew nervous as she read the email. What if someone stole her work? 

Just as her finger hovered over the link, a chill ran down her spine. Something about the email seemed off, but she couldn’t quite put her finger on it. She glanced around the office, now empty and eerily quiet.  

Determined to shake off her paranoia, Emma decided to take a closer look at the email. She noticed something unusual—the email address didn’t match the Scribble website, and the language, though professional, contained minor grammatical errors. 

Her heart pounded as she realized she had almost fallen for a phishing scam. Emma quickly closed the email and reported it to the candy factory’s IT department. She felt a mix of relief and fear, knowing how close she had come to compromising her hard work and potentially the security of precious Halloween candy. 

Emma’s phone buzzed, startling her. It was a message from her colleague Mark, who was the factory’s taste tester.  

Screenshot of a text exchange between Emma and Mark.

Later that evening, as Emma drove home, she couldn’t shake the feeling of being watched. She glanced out the window, half-expecting to see a creepy figure lurking in the darkness. She couldn’t help but think about how easy it could have been to fall victim to the phishing scam. In the digital age, the lines between reality and deception were becoming so blurry. But tonight, thanks to a moment of vigilance, she had dodged a bullet. 

As she pulled into her driveway, Emma made a mental note to be more cautious in the future. The world of cybercrime was filled with unseen threats, and it was up to individuals like her to remain vigilant. She stepped inside her home, locking the door behind her, and felt a sense of security and relief. 

That night, Emma slept soundly, her dreams untroubled by the specter of cyber threats. She had faced the phishing phantom and emerged unscathed, a small victory in the ongoing battle against digital deception. 

If you’d like to avoid the phishing phantom, remember to follow these guidelines so spooky season is filled with treats, not tricks: 

  • Never share your Clark password with anyone. ITS will never ask for your password. 

April 2024, Data Privacy and Security, December 2022

MFA and Travel

You have your passport, you have your bags packed, and you’re excited to get going. But wait! If you plan on connecting to your Clark account when travelling, preparing your MFA in advance can make your trip much easier.

When travelling or otherwise, ITS recommends using the Microsoft Authenticator app as your primary MFA factor. This app can be installed on multiple devices, and will allow you to authenticate into your Clark account from anywhere your devices can connect to the internet – regardless of cell service or phone number.

1. Adding Authenticator as a Factor

Before boarding the plane or hitting the road, be sure that Microsoft Authenticator is your primary MFA factor. Authenticator can approve your login via internet rather than using a text code that requires a specific phone number. In fact, usually Microsoft will default to using Authenticator if it is included as your factor since it is the most secure.

Click here https://mysignins.microsoft.com/security-info and log in if prompted.

If Microsoft Authenticator is not included in your list of factors.

    • Click Add sign-in method
    • Choose Authenticator App
    • Click Add, and follow the prompts
    • When complete, check that Authenticator is listed as your default sign-in method again.
      • If not, follow the instructions below.

Once complete ensure that your Sign-in method when most advisable is unavailable is Microsoft Authenticator – notification. If not, click Change and choose “App-Based Authentication – notification”.

2. Installing Authenticator on Another Device

Now that Authenticator is your primary factor, you can install the app on multiple internet-connected devices to give you lots of flexibility when travelling. However, be sure to only install it on devices that you are the sole user of to prevent security issues.

Before beginning this process, be sure that the device with Authenticator set up as your primary factor in step 1 is connected to the internet.

  1. Download Microsoft Authenticator to your new device. Be sure that it’s published by Microsoft.·
  2. Launch the application
  3. Choose Work or School account
  4. Enter your Clark email address
  5. When prompted log in with your usual Clark credentials
  6. At this point, Microsoft will attempt to authenticate your login using your primary factor – the Authenticator app on your first device. Follow the prompts on your first device to authenticate your new device

From now, when authentication needs to happen, the Authenticator app on both devices (as long as connected to the internet) will prompt you to approve your login.

If you have any questions about this process, please contact the Help Desk at helpdesk@clarku.edu, 508-793-7745. Remember that we can support you more easily if you contact us before travelling.

Data Privacy and Security, October 2023

Tips, Tricks, and Treats: October is Cybersecurity Awareness Month!

Cartoon image of a vampire

With blue skies, fall foliage, and haunted houses, October is one of the best times to live and learn in New England. It also happens to be cybersecurity awareness month, which makes it the perfect time to enjoy pumpkin spiced treats, plan your Halloween costume, and prepare yourself against the scariest monsters of them all: cybercriminals like Count Hackula and Frankenphisher. 

What’s so scary about cybercriminals? 

Most often, cybercriminals target personal identifying information (PII) such as your full legal name, birth date, or social security number. Once they have access to this information, they can use it to impersonate you, gain access to your accounts, and sell your data. For educational institutions such as Clark, hackers typically try to trick you into revealing your password so they can access the network, target others in the Clark community, and locate confidential data such as health or financial information of students and employees. As a reminder, ITS will never ask for the password to your Clark account, and this password should never be shared with anyone else, especially through an electronic means such as a text message or email. 

Most cybersecurity violations (80% of security incidents and 90% of data breaches) stem from social engineering attempts, in which a cybercriminal or bot poses as a legitimate business, charity, or colleague. They often appear as emails, but cybercriminals may also send text messages or leave voicemails about an urgent or critical matter. For example, you may receive an email from a foundation asking for your personal information so you can receive a prize, or a text message reportedly from your bank regarding a compromised account. Learn more about different types of social engineering here. 

Yikes! How can I protect myself? 

If you have additional questions about cybersecurity at Clark University, please contact the Help Desk by emailing helpdesk@clarku.edu or by calling 508-793-7745. 

Data Privacy and Security

Data Management

Now, more than ever, we share information and use data daily in our personal and professional lives. There are certain types of information that are regulated and must be handled appropriately when shared with others not only to ensure compliance with legislation, but also to minimize the risk of the information being viewed inappropriately and to help protect the privacy of individuals. To help Clark employees handle specific types of information, the university has a Data Classification Policy that defines three types of data (confidential, restricted, public) and details how we can use and share those types of data. In addition to the policy, there is a one page reference sheet that provides examples and guidelines for managing different types of data. Reading the policy and following the reference sheet will help you manage the information we’ve all been entrusted to protect. 

If our ability to protect certain information is compromised, Clark must provide notice to individuals impacted as well as state or federal authorities. Spirion is installed on Clark-managed computers. It can identify where sensitive information lives on your computer and in your email. Information on how to use it can be found online. If Spirion identifies confidential or restricted information that is no longer needed, then it should be deleted. 

In addition to defining how we must manage Clark data, these documents also provide good guidelines for how we can manage our own personal data. For example, you should never email highly confidential information like a social security or credit card number. Email you send with this information usually lives in your sent items for a long time, serves no useful purpose living there, and creates risk around a compromise. If an email account is compromised, cybercriminals will first download all email in the account to mine for information later. If you do have this information in your mailbox, we recommend you delete those messages. 

Data Privacy and Security, March 2023

Social Engineering

Each day, hackers come up with new and innovative ways to trick individuals into providing personal information. These types of attacks are commonly referred to as social engineering attacks. Social engineering is the tactic of manipulating, influencing, or deceiving a victim to gain control over a computer system or steal personal and financial information. Currently, there are three main types of social engineering attacks.

Phishing

In phishing attacks, hackers send malicious emails with information about a free product, pose as a service you use, or pretend to be a friend trying to get in touch with you. When you click on a link or open an attachment from these emails, malicious files are downloaded to your device, causing it to be held for ransom.

Smishing

SMS phishing, or ‘smishing,’ happens when hackers try to steal your personal details by posing as a trusted person or service via text message. For example, a cybercriminal could pose as a representative from your bank and ask you to click on a link to connect to your bank’s “web page” and verify a recent suspicious charge. Others might ask you to call a customer service number, conveniently included within the text message, regarding a compromised account. Hackers even pose as celebrities or charitable foundations, sending text messages asking for donations to aid with hurricane relief or animal rescues. Once you input your bank information, credit card number, or social security number, the criminal can make fraudulent charges.

Vishing

Vishing is voice or voicemail phishing. This occurs when hackers call your phone number to speak to you or leave voice messages. They claim to be from a reputable company, often mentioning outstanding bills or account emergencies in order to confuse you and ask for personally identifiable information such as bank and credit card information.

Spotting Social Engineering

Click here for lots of tips on how to spot Phishing – social engineering via email.

For Smishing, look at the phone number that sent the text message. Do you recognize it? Sometimes the first few numbers or the country code can reveal that the message is coming from another country. Additionally, many automated texts from institutions like banks are only a few numbers, rather than a full ten-digit phone number. A good general hint is to never click on a link in an SMS, and instead find the link on your computer through official websites.

What about Vishing? Typically, vishers will call from restricted or unrecognizable numbers. If you do not recognize it, let it go to voicemail. Most of the time, vishers will not leave a voicemail, but if they do, you will have more time to determine its legitimacy when you do not feel rushed to answer questions. Vishers often pretend to be calling from a government agency, financial organization, or law enforcement agency. They will usually ask for sensitive information such as social security numbers, mother’s maiden name, or childhood home address.

Staying up to date with current smishing and vishing campaigns can help you be aware of what to watch out for. Click here for information from the Social Security Administration’s website.

Limiting telemarketer calls and messages also reduces the chances of being targeted by phishing, smishing, and vishing. If you do not want to receive calls or texts from telemarketers, you can register your home or mobile phone number for free at:  https://www.donotcall.gov/

If you have any questions about the validity of a text message or voicemail, especially any claiming to be from a member of the Clark University community, contact the ITS Help Desk by emailing helpdesk@clarku.edu or calling 508-793-7745.

Alex MagidOur monthly information security articles are written by Alex Magid, Information Privacy and Compliance Analyst. ITS is proud to announce that Alex was recently nominated as a candidate for Educause’s Board of Directors, and additionally has been awarded a scholarship by the Regulated Research Community of Practice to attend the Educause Cybersecurity and Privacy Professionals Conference.

 

 

Data Privacy and Security, February 2023

Think Twice Before Charging!

We have all been there, your phone battery is at 5%, and you’re in an airport, coffeeshop or other public space. You search for an outlet, but instead find a powered USB port. You figure this will charge the same way as a pronged outlet. Think twice!

While it’s true that public USB ports can help charge in a pinch (though often at much slower rates), it may also leave your device at risk of malicious malware. Hackers can infect USB ports with software that can infect your device as soon as you plug in. To help minimize the risk of your device being compromised, it is best to use a USB Data Blocker.

What are USB Data Blockers?

A USB data blocker is a device that plugs into the charging port on your phone, acting as a shield between the public charging station and your phone. USB data blockers restrict hackers from accessing your phone’s data.

Which USB Data Blocker is the Best?

There are many types of USB Data Blockers, all of which accomplish the same goal of protecting your device. Some use a stronger level of security, and so depending on the type of data on your device, we recommend researching and seeing which blocker your industry prefers and why.

If you have no specific needs, our recommendation is the 4th Gen Juice-Jack Defender. It is cheap, effective, comes in many colors, and is available on Amazon and from many other retailers

Data Privacy and Security, January 2023

Anatomy of a Data Breach

Arguably no phrase has dominated the tech world over the last 24 months more than the term “data breach.” From breaches impacting critical infrastructure like the Colonial Pipeline, which provides most of the country’s fuel, to hackers compromising healthcare records of half a million people at UC San Diego Health, the headlines of last two years have been full of cybersecurity mishaps. Yet, despite this breach-centric news cycle, many individuals may not know what exactly a data breach is, how they typically start, and why they occur.

What is a data breach?

While it may seem like a complex concept, once the jargon is removed, a data breach is very straightforward. According to Trend Micro, a data breach is “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.” And while data breaches can be the result of a system or human error, a vast majority of data breaches are the result of cyberattacks, where a cybercriminal gains unlawful access to sensitive system data. In fact, 92% of the data breaches in Q1 2022 were the result of cyberattacks.

What kind of data can be breached?

Unfortunately, cyber criminals look to get their hands on any available information, ranging from more obvious sensitive information such as social security numbers and credit card information to more obscure data like past purchase history.

How do data breaches happen?

Cybercrime is getting more sophisticated each day. However, cyberattack tactics do not have to be cutting-edge or advanced in order to be effective. Here are a few examples of popular tactics used by cybercriminals:

  • Phishing: Phishing is when a cybercriminal pretends to be a legitimate party in hopes of tricking an individual into giving them access to personal information. Phishing is one of the oldest tricks in the book for cybercriminals but it is just as effective as ever. For example, 80% of security incidents and 90% of data breaches stem from phishing attempts.
  • Malware: Another tried-and-true method for cybercriminals is malware. Malware is malicious software that secretly installs itself on devices – often by way of a user engaging with fake links and content – and quietly gains access to the data on an individual’s device or business network.
  • Password Attack: Through password attacks, cybercriminals look to gain access to sensitive data and networks by way of “cracking” user passwords and using these credentials to get into networks and extract data.

How do I spot a possible breach?

The best way to stop a data breach is to stop it before it even starts. This includes taking steps like making sure passwords are long and complex and reporting suspicious emails. If you do suspect that you have been the victim of a breach, immediately contact Clark’s ITS Help Desk (helpdesk@clarku.edu, 508-793-7745) and follow advice to help scan, detect, and remediate any issues.

If you are interested in learning more, or ever have questions about how to keep yourself or those you care about safe and secure through the digital landscape, feel free to contact or stop by the ITS Help Desk. We would love to chat!

Data Privacy and Security, October 2022

Stop before you Scan: QR Codes and Cybersecurity

Written by Alex Magid, Information Privacy and Compliance Analyst

You see them on hallway walls, in emails, and in place of traditional restaurant menus. Quick Response Codes, commonly referred to as QR Codes, are machine-scannable images that can be read using a Smartphone camera. Every QR code consists of a number of squares and dots which represent certain pieces of information. When your Smartphone scans this code, it translates that information into something that can be easily understood by humans – often a link to a website.

QR codes surged in popularity during the pandemic because consumers found them easy to use and businesses did not have to worry about contact contamination. QR codes are a great tool for saving space, and quickly directing people to information… and hackers know this!

Users should think about QR codes the same way we think about other phishing tactics like email scamming and social engineering. While most codes are safe, some QR codes can contain links maliciously embedded with malware so that cybercriminals can easily obtain your data such as credit card information or social security number.

How to spot authentic QR Codes

Always check the URL on the notification before clicking to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, exit out of your browser.

Attackers and pranksters have printed counterfeit QR code stickers and put them on top of existing QR codes, a common tactic that occurs in restaurants on menus, and on shared bulletin boards. So before scanning, take a quick look to see if the QR code looks out of place or seems to be a sticker when it shouldn’t be.

Users should always avoid downloading an app from a QR code and instead once learning the name of the app use their respective app stores for a safer download. Finally, if you scan a QR code, and it prompts you to download a “QR reader,” it is likely a trick used by scammers.

Have Questions?

If you have questions about how to stay safe while using QR codes, please contact the Help Desk at (helpdesk@clarku.edu, 508-793-7745)