2021 UIC Cyber Security Awareness Campaign: True Stories

A common email scam you may come across is known as “phishing.” Scammers send emails aimed at tricking you into thinking they are legitimate. They can appear to be from a business, coworker, student, even the University!

The goal of a phishing email is to get you to open an attachment, or click on a link to a fake website and enter sensitive information like your login and password. Below are some of the scams our team and community have encountered:

• Account Cancellation
  Scammers claim you need to log in to reverse the cancellation request, and send you a link to click on. In reality, the information you provide to login to the fake site is captured and used by the attacker to login to the real site and do damage.
  
• Password Reset
  This popular scam email states you have requested a password reset. Chances are you likely did not, so you may be alarmed and will quickly click on the link without much thought.
  
• Shipping Notifications/Order Cancellations
  These emails can be hard to detect as scammers will mimic real email notifications sent by companies such as Amazon, FedEx and UPS, to make you think they are legitimate. Be sure to hover over links and see what URL they actually redirect to.
  
• “Urgent” Request
  Scammers pose as a coworker or other UIC employee claiming they have an emergency and need you to purchase a gift card or transfer money. They use urgent language and are not available to talk on the phone but need an urgent favor or request handled immediately. Don’t be fooled or rushed into anything.
  
• Open an “important” attachment or voicemail
  Scammers will use spoofing technology and send emails posing as members of the UIC Community with the goal to get you to open “important attachment”, or links to a “voicemail message”. Be careful! Opening attachments can install malware and voicemail links redirect to fake pages prompting you to enter login credentials.

Email scams can be hard to detect and as a result, it is easy for members of the UIC Community to fall victim to cybercriminals’ attempts to steal user names and passwords.  When a cybercriminal gets your NetID and password, they can log into your accounts, steal information, and start spamming others in your network.

UIC has added 2-Factor authentication (2FA) to many university services and applications so even if your password is stolen or compromised, having 2FA set up will require the thief to also have possession of your registered device in order to access your account. Merely having your NetID and password is no longer enough to access accounts.

2FA provides a second layer of security to your University information, making it difficult for an unauthorized person to access your accounts even if your password is compromised.

UIC uses a service provided by Duo Security, an industry leader in cybersecurity services, to better protect our community’s sensitive data. Learn more about 2FA at go.uic.edu/2FA or visit the UIC Help Center.

Personal information can mean a lot of data. Anything from your full name to your Social Security Number counts as personal information, and it’s important to protect it. Keep your information safe using these tips:

Create strong passwords
When deciding on a password, think beyond simple words or numbers a scammer could easily figure out, like your birthday. Choose combinations of lower and upper-case letters, numbers, and symbols and change them periodically. Do not use the same password across multiple sites, services or applications.

Don’t overshare on social media
Avoid putting your personal information at risk. Check your privacy settings so you are aware of who’s seeing your posts, and be cautious when posting personal information such as your hometown, birthday, pet’s names and other personal details.

Use free Wi-Fi with caution
Did you know that most free public Wi-Fi networks have very few security measures in place? This means that others using the same network could easily access your activity. If you are planning on entering sensitive information like your credit card info online, wait until you have access to a safe Wi-Fi connection.

Check to see if the site is secure
Take a look at the top of your browser before entering personal information into a website.  If there is a lock symbol and the URL begins with “https,” that means that the connection between your web browser and the website server is encrypted.

Don’t fall for email scams
Scammers may approach you via phony emails masked as legitimate ones, asking you to change your UIC password. Be cautious when responding to emails that sound suspicious. Never click on links without confirming they are coming from a legitimate source, and remember, if an offer is too good to be true, it probably is!

Job scam emails are very common and prey on students looking for work. Be aware of the common red flags to search for in scam emails:

• Scam emails can come from a @uic.edu email address
  Scammers use email spoofing methods to forge a UIC email address and make it appear as if the email is being sent by a UIC employee! Recipients may fall victim to these scams, believing it is coming from a legitimate UIC contact. Though identifying a scammer using a @uic.edu email may be difficult, there are other signs you can look out for.
• They offer big payment for little work
  An immediate red flag is when a scammer offers a large payment for very little work. Examples include: “$500 a week for working 1 hour per day, 2-3 times a week.” As the old saying goes: “If it’s too good to be true, it probably is!”
• They are filled with typos and grammatical errors
  Most of the time, though not always, scam emails will be written very poorly and contain typos and grammatical errors. In the email example shown, you can see the message is filled with grammatical errors and unnecessary capitalization.
• Scammers will send a check to deposit
  One of the main reasons students can fall for this scam is because scammers will send a check you can deposit for your payment, plus an additional amount that the scammer will need you to send to another account as part of the scam. The checks can be deposited but will be flagged later by the bank as fraudulent. By then you will have sent funds to the scammer and may be responsible for funds lost and subsequent bank fees.
• The email asks you to reply from a non-UIC email
  Scammers want you to send them your personal email so they can contact you outside your UIC email. This is because scammers want to avoid getting caught by our vigilant Security team.
• Scammers ask you to contact them at a different email address
  Scammers will request that you contact them at a different email address rather than the original “From” email address.

If you’ve entered your login credentials to a suspicious site, opened an attachment, or purchased gift cards/transferred money to a scammer:

1. Change your password immediately by going to the UIC Help Center (help.uic.edu) and select Reset Password or going directly to the NetID Center.
2. Email security@uic.edu and explain what occurred. The UIC Security team will monitor your accounts and ensure no suspicious activity is taking place.
3. If the scam involved the loss of money or property, contact the UIC police (police.uic.edu).

Be sure to check out each week’s “Information Technology” section in UIC Today’s Circle Back Newsletter sent every Thursday at 10am for links to the complete True Stories campaign and materials.

Students are encouraged to check their inbox every Monday in October for our weekly NCSAM campaign email including a link to learning material on it.uic.edu covering a cybersecurity topic. When finished reading the material, students may test their knowledge with the Cyber Security Quiz for a chance to win a $50 gift card to the UIC Bookstore!