Information Security
Technology impacts nearly all aspects of our professional and personal lives today, and our user accounts are the basic mechanisms that safeguard our online access. It is vitally important to realize these two basic facts: Everyone is the target of hackers, and no one is immune from cyberattacks. The Division of Information Technology has compiled this page to provide education on protecting yourself from these cyberattacks. Also, please reference Stevens security policies on our Governance, Policy & Standards page for further guidance.
Tips for Staying Safe Online
Recently there has been an uptick in scams targeting the higher education community. While these tactics are not new, they are constantly adapting to catch more victims off-guard for nefarious purposes. Such scams can include, but are not limited to:
Financial Aid/Scholarship Scams
Job Offer Scams
Tuition Scams
Fake Check Scams
Credit Card Scams
Public Wi-Fi Scams
Fake Apartment Scams
Social Media Scams
Do
Be cautious about clicking links or downloading attachments in email, text, or social media messages, even from someone you know.
Be wary of unsolicited emails regarding job applications to which you have not applied or are too good to be true.
Consider using a VPN when using a public Wi-Fi network.
Consider using a password manager, such as LastPass, to protect your accounts.
Report suspicious emails by using the “Report Phishing” button in outlook.
Do not
Send payments via gift cards or cryptocurrency.
Agree to any monetary assistance without proper research (jobs, debt relief, tuition, etc.).
Answer messages through email, text, or social media asking for money, personal or financial information.
Fall for the newest scams (read more in our Security Bulletin below) and make sure you report scams
Do
Lock your computer if you walk away from it.
Use caution when choosing to save your login information in browsers such as Google Chrome or Mozilla Firefox – if your laptop is lost or stolen, someone who can access your computer can access your accounts. Consider using a password manager, such as LastPass.
Do not
Share your password with anyone else – you are responsible for your account.
Fall victim to phishing or spear-phishing attempts.
If at any point you have reason to believe any of your accounts could have been accessed inappropriately, please contact the appropriate party immediately (call your bank if there are suspicious activities, etc.).
Check your information related to that account to make sure nothing has been changed unless legitimately by you:
Email messages, including any sent emails you do not recognize.
Employee information in Workday such as beneficiaries, direct deposit information, dependents, and similar important data.
Retirement account information such as TIAA accounts.
Online bank accounts as well as your credit history and scores.
Important files on your computer or network file shares.
Any other sources you might normally access.
If you detect any problems with your Stevens-related accounts, please contact the appropriate office immediately (for example, the Division of Human Resources, Payroll Office, Division of Information Technology, etc.).
Other Available Options
Antivirus software (available to Stevens students, faculty, and staff for personal use).
Password management software such as LastPass.
Home Internet Security course, powered by KnowBe4, available to Stevens students for free.
Identity theft protection such as LifeLock or TrueIdentity.
Remember:
Loss of data, causing harm to employees, students, and yourself.
Financial losses, including your accounts, loss of confidentiality and security, and the possibility of identity theft.
Malware downloaded to your computer, and possibly to Stevens systems and other members of the Stevens community.
NOTE: TO ENSURE YOUR SAFETY AND THAT OF STEVENS FOR OUR STUDENTS AND OTHER EMPLOYEES, ANY ACCOUNT THAT IS SUSPECTED OF BEING COMPROMISED WILL BE LOCKED UNTIL THE OWNER IS CONTACTED, THE PASSWORD FOR THAT ACCOUNT IS CHANGED, AND INTEGRITY OF THE ACCOUNT IS REESTABLISHED.
Phishing
What is Phishing?
Phishing is a form of fraud in which a hacker tries to acquire confidential information such as login credentials or account information by masquerading as a reputable entity or person in email, IM, or other communication channels.
What is Spear Phishing?
Spear phishing is attacks directed at specific individuals, roles, or organizations. Since these attacks are so targeted, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
Why is Phishing awareness important?
When an individual falls victim to a phishing attempt, they often become either infected with malware or have their username and password stolen. Either occurrence can be extremely damaging as personal information such as social security numbers, driver's licenses, or sensitive information related to Stevens' goals and objectives can be disclosed. Also, a skilled attacker can start with a single username and password and escalate their privileges which allow them to acquire critical company information such as financial reports and student data.
How do I report a phishing attempt?
If you receive a suspicious email, please report it to the Office of Information Security.
External Email Tag in Office 365 Email
The external email tag is a new feature that will help you identify emails that originate outside the University’s email systems by prepending a notification to the email message.
Emails tagged external sender notification may come from legitimate external sources and services and should not be discarded without reviewing them first.
Why Is This Notification Added?
Phishing attacks often originate from external sources using deception, email, and website impersonation to steal credentials and other personal information. The external sender notification is just a reminder to use caution when handling emails from external sources.
What Should I Do?
Not all external emails are malicious, but when you see the external sender notification you should be wary about:
Opening attachments
Clicking on links
Providing personal information
Performing financial transactions for the sender
When a sender appears to be someone at the university but has the external sender notification, be extra cautious. Forward any questionable emails to [email protected].
Is Email with the External Sender Notification Always External?
Some technology services used by the University that generate emails may show the external sender notification tag, such as Zoom, Box, Google Drive, and Office 365 apps like Teams and One Drive.
My Department’s Email is Getting the External Sender Notification tag
If an email from your departmental email system or vendor bulk email is getting the external sender notification, send an email to [email protected] to request an exception. Include the following information:
Requesting Business Unit: (College, Department, Organization, etc.)
Requesting Point of Contact: Name, Email address, and phone number. (*Should be an individual familiar with the third-party vendor used by unit for mass email communications)
Name of third-party vendor service or system:
Business Process it supports: (Examples: Internal communications, external communications, newsletters, fundraising, etc.)
Audience/Size: (Faulty, Students, Alumni, External Sponsors, etc.)
Frequency of Use: (Ad hoc, daily, weekly, monthly, etc.)
Can I personally opt-out of [External] tagging?
No, [External] tagging is added to all Stevens email accounts to help identify email from external sources.
Are [External] tagged messages dangerous?
Not all [External] messages are dangerous. Many legitimate messages come from external sources. However, a common phishing technique is spoofing our Stevens email addresses. The [External] tag is one more mechanism to determine authenticity.
Does [External] tagging do any additional scanning, filtering, or sorting?
No additional scanning, filtering, or sorting is performed. If the message origin is a non-Stevens Email system, then [External] is added to the beginning of the email message subject.
The email indicates "important" or stresses "Urgency" to increase the likelihood of the recipient clicking the link.
Hovering a mouse over the link produces a different suspicious weblink than what is provided in the email.
The email address displayed is unknown and is not consistent with Stevens messaging formats.
Vaguely worded attachment.
Vague email content requesting the recipient take action. Often malicious emails will direct an individual to click a link or open a file.
Unsolicited email from an unknown source.
Vague email subject.
Vague email content. Note: while some emails do not have an attachment or a web URL to click it should be considered suspicious due to extremely vague content. Hackers will send these emails to discover who will reply and engage in conversation. This is often the first step in a social engineering attempt to discover confidential information.
Use this list to see some phishing (fake) emails that have been spotted at Stevens. Below you will find some examples of phishing emails seen on campus. We worked to remove any malicious content from the messages but recommend against interacting with any links or email addresses in the examples. If you get a suspicious email but do not see it listed here, DO NOT assume it is safe. There are many variants of every phish, and new ones are sent each day. When in doubt, consult [email protected].
Report suspected phishing attempts to the Information Security Office. Click the Report Phishing button in Microsoft Outlook.
Warning: Do not explore the links or email addresses in the phishing emails listed here. We work to sanitize these examples, but please do not investigate them further on your own. Still not sure? Read more in our “How to spot Phishing” section on this page.
Password Tips
Passwords are the key to almost everything you do online, and you probably have multiple passwords that you use throughout the day. Choosing hard-to-hack passwords and managing them securely can sometimes seem inconvenient. Fortunately, there are simple ways to make your passwords as secure as possible. Doing so can keep hackers from taking over your accounts and prevent theft of your information (or money from online banking!).
These 8 tips will help make your digital life more secure. 8 Tips to Help Make Your Digital Life More Secure
Change your password often (365 days). If you need to change your Stevens password, you can do so here.
Never reveal your passwords to others. You probably wouldn’t give your ATM card and PIN to a stranger and then walk away. So, why would you give away your username and password? Your login credentials protect information as valuable as the money in your bank account. Nobody needs to know them but you—not even the IT department. If someone is asking for your password, it’s a scam. See Smart Alternatives to Password Sharing.
Use different passwords for different accounts. That way, if one account is compromised, at least the others won’t be at risk.
Use multi-factor authentication (MFA). Even the best passwords have limits. Multi-Factor Authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you are trying to log in. Learn more about MFA and how to turn it on for many popular websites at https://www.turnon2fa.com/.
Length trumps complexity. The longer a password is, the better. Use at least 16 characters whenever possible.
Make passwords that are hard to guess but easy to remember. To make passwords easier to remember, use sentences or phrases. For example, “breadandbutteryum”. Some systems will even let you use spaces: “bread and butter yum”. Avoid single words, or a word preceded or followed by a single number (e.g. Password1). Hackers will use dictionaries of words and commonly used passwords to guess your password. Don’t use information in your password that others might know about you or that’s in your social media (e.g. birthdays, children’s or pet’s names, car model, etc.). If your friends can find it, so will hackers.
Complexity still counts. To increase complexity, include upper and lower case letters, numbers, and special characters. A password should use at least 3 of these choices. To make the previous example more secure: “Bread & butter YUM!”
Use a password manager. Password management tools, or password vaults, are a great way to organize your passwords. They store your passwords securely, and many provide a way to back-up your passwords and synchronize them across multiple systems. One such password manager is LastPass, which will fill out passwords in your browser for you and generate new ones when you change your password. For more information on LastPass, see LastPass FAQ.
Security Bulletins
SMS Security Alerts - SMiShing (SMS) Scams
There has been a recent spike in SMiShing (SMS) Scams at Higher Education Institutions. Please review the information below to learn more about what they are and how to avoid them.
What is SMiShing?
With SMiShing, a scammer sends you a text message (SMS). That message appears to come from someone within the University, or from someone you know, asking you to perform a task or to provide information. SMiShing is like email phishing but is done over mobile text messaging.
Avoiding SMiShing Scams
Here are some tips related to SMiShing Scams:
Who’s it from? If you receive a text message claiming to be from the President, Provost, Department Chair, Director, asking you to do something that is unexpected or that seems out of character, be sure to verify that the message is legitimate before taking any action. The best way to verify the legitimacy of a given message is to directly call the sender. You may use the Personnel Directory to find the phone numbers of Stevens employees.
Extreme urgency: Be cautious of any text message that urges you to reply quickly or to take action, even if the message appears to be coming from your supervisor or other high-level Stevens personnel. Urgency in text or email messages is a common tactic in both SMiShing and Phishing.
Links you’re unsure of: Avoid clicking links sent to you from numbers you do not recognize.
In response to an SMS message, never share yourpersonal information over SMS (for example, login, personal identifying, financial details). The Division of Information Technology will never ask for sensitive information over a text message.
COVID-19/recent events: Be cautious of any text message that references COVID-19 and asks you to follow a link. Scammers like to use current events to lend apparent legitimacy to their scams.
What time was the text sent? Check when the text message was sent. If you received it at an unusual time, it is likely not legitimate.
What to do? If you are concerned about a message, you have received please report to [email protected].
Scam Security Alerts
QR Code Scams
With the COVID-19 pandemic demanding a more contactless way of life, QR codes have been used more frequently (virtual menus at restaurants, contactless payment for goods or services, etc.). Bad actors are taking advantage of this opportunity by tampering with these QR codes. These QR codes, when scanned, will bring the user to a site that will attempt to take personal or financial information.
This scam has been seen recently in the U.S. in the form of pay-to-park services. These bad actors will sometimes place QR codes on parking payment signs, encouraging patrons to use the code to pay. The FBI has recommended the following actions to protect yourself:
Do not scan a randomly found QR code.
Be suspicious if, after scanning a QR code, the site asks for a password or login info.
Do not scan QR codes received in emails unless you know they are legitimate. Call the sender to confirm.
Some scammers are physically pasting bogus codes over legitimate ones. If it looks as though a code has been tampered with at your local bar or restaurant, don’t use it. Same thing with legitimate ads you pick up or get in the mail.
Consider using antivirus software that offers QR readers with added security that can check the safety of a code before you open the link.
EOL Security Alerts
Windows 7 No Longer Supported
The Division of Information Technology will no longer support Windows 7 after the Fall 2021 semester. Microsoft ceased their support of Windows 7 on January 14th, 2020 and no longer provides technical support, software updates, security updates, and other fixes. Microsoft will also no longer support OneDrive on Windows 7 machines. Since Windows 7 is no longer an up-to-date operating system, IT cannot provide secure support of machines with Windows 7.
What to do if you are currently operating on Windows 7?
If you use a Stevens owned machine or run specialized software packages that require Windows 7, please contact Client Support Services to set up an appointment for your machine to be upgraded, [email protected].
If you use a personal machine, IT recommends that you ensure your machine has the latest operating system, updates, and patches.
Scam Security Alerts
Scams Targeting Students
Recently there has been a surge in email, text, and phone scams aimed at Stevens students. These scams are not new, but they are constantly being adapted to better target personal and financial information. Please see our Staying Safe Online page for more tips.
Below are some scams targeting students the Office of Information Security has recently seen:
Fake Check Scams
Never use money from a check to send gift cards, cryptocurrency, or wire money to strangers or someone you just met.
Financial Aid/Scholarship Scams
Watch out for:
Messages indicating that you won a scholarship for which you have not applied
Scholarships that look legitimate but require an application fee
Low-interest student loans with upfront fees
Paid guaranteed scholarship search services
Job Offer Scams
Watch out for:
Offers for jobs for which you have not applied
Job offers that seem “too good to be true”
Unsolicited job offers with generic wording or vague details
Job offers with spelling or grammatical errors
Debt Relief Scams
If you are contacted by someone willing to reduce your student debt and/or monthly payments, do some research first. Fraudulent companies will claim to help reduce your debt but instead will redirect your payments to their accounts instead of paying your loans.
If you have federal student loans, visit the Federal Student Loan website directly. If you have private loans, speak to your loan servicer or visit their website directly.
Public Wi-Fi
If you are using public Wi-Fi, make sure to be wary of the websites you visit as well as any information you send over the Wi-Fi. Do not use any websites that require you to log in or enter personal information, as that information can be seen and used by bad actors. Try to avoid accessing sensitive information (like your bank) on public Wi-Fi, even if it is a trusted public network. Consider using a VPN. The Stevens VPN is available to students, faculty, and staff.
Tuition Scams
Be wary of fraudulent calls and/or emails stating that you have late payments on your tuition. If you are unsure whether you have paid your tuition or not, log in to eBilling to determine if any payments are required.
For billing inquiries, please email the Office of Student Accounts.
For Financial Aid inquiries, please email the Office of Financial Aid.
Social Media Scams
Bad actors may create pages on social media that look legitimate, such as an organization, and reach out solely looking to collect basics such as your email information. This can lead to spam emails or possible identity fraud.
Be mindful of the information you post online, and be wary of pages asking for personal information. Stevens employees will not ask for personal information using social media platforms.
Email Security Alerts
Beware of IRS-Impersonation Income Tax Scams Targeting Higher Education. IRS officials issued a warning recently about an ongoing IRS-impersonation scam aimed at educational institutions, including students and staff who have .edu email addresses.
What should you be alerted to?
The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions using “.edu” email addresses. The suspect emails display the IRS logo and use various subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment”. It asks to click a link and submit a form to claim their refund, requesting information such as SSN, First and Last Name, DOB, Prior Year Annual Gross Income, Driver's License number, Current address, and IRS Electronic Filing PIN.
What should you do?
If you receive this scam:
DO NOT click on the link in the email.
Please report the email to the IRS. To do this, save the email using “save as” and then send it as an attachment to [email protected] or forward the email as an attachment to [email protected].
How should you protect yourself:
Please consider immediately obtaining an Identity Protection PIN. This is a voluntary opt-in program. An IP PIN is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in your name.
View the full IRS News Release here. Please on the lookout for unexpected or unusual emails, texts, updates, or phone calls, or web pop-ups, and remember that when in doubt, please reach out to [email protected].
Email Security Alerts
Beware of IRS-Impersonation Income Tax Scams
A new calendar year marks the beginning of tax fraud season. Scammers are endlessly inventive, The Internal Revenue Service (IRS) has issued a warning about a new email scam in which malicious cyber actors send unsolicited emails to taxpayers from fake IRS email addresses. Though subject lines will vary, some recent examples are "Automatic Income Tax Reminder" and "Electronic Tax Return Reminder."
The emails have links that show an IRS.gov-like website with details pretending to be about the taxpayer's refund, electronic return, or tax account. The emails contain a "temporary password" or "one-time password" to "access" the files to submit the refund. However, this links to a malicious file.
By infecting computers with malware, these bad actors may gain control of the compromised computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts.
Remember: the IRS does not send unsolicited emails and never emails taxpayers about the status of refunds.
Beware of COVID-19 Vaccine Scams
The FBI, the Department of Health & Human Services Office of the Attorney General (HHS-OIG), and the Centers for Medicaid and Medicare Services (CMS) have issued a joint warning about COVID-19 vaccine scams.
What should you look out for?
Ads promising early access to the vaccine upon payment of a fee or deposit.
Out-of-pocket payment requests for the vaccine or offers to put you on a vaccine waiting list.
Offers for additional testing when the vaccine is being administered.
Offers to sell or ship the vaccine domestically or internationally.
Phishing messages seeking your personal information in connection with vaccine trials or obtaining the vaccine.
Claims of FDA approval for an offered vaccine that cannot be verified.
Vaccine ads from unknown/untrusted sources.
Phone calls alerting you that the government or specific government officials require your vaccination.
Steps you can take:
For up-to-date information about vaccine distribution and distribution channels, check your state’s health department website.
For emergency use authorizations, check the FDA’s website.
Consult your primary care physician about any vaccination.
Only share your medical information with trusted medical professionals.
Review your medical bills and insurance EOBs for unexpected claims.
Follow CDC (Center for Disease Control) and medical guidance from trusted professionals.
Please be on the lookout for unexpected or unusual emails, texts, updates, or phone calls, or web pop-ups, and remember that when in doubt, please reach out to [email protected].
COVID-19 related fraud can be reported to the FBI at ic3.gov or tips.fbi.gov or 1-800-CALL-FBI.
Need IT Support?
Get support through our self help resources, contacting IT support or visiting TRAC.