You are here
Develop a Better Security Routine
Wednesday, March 1, 2023 - 09:32
You barely even pay attention to it. You hear your phone ding, open the notification, hit the green button, and head back to your laptop to keep working. Simple as could be, right?
Wait a minute. Why did you get a Duo prompt? You weren’t logging into something. Did you just give someone access to your accounts? Oh no. Now 10,000 people just received a phishing scam from your email address, with dozens falling for it.
Think this scenario is far-fetched? Think again. Pitt IT intervened to thwart this exact situation several times in February alone. Phishing attacks are surging at the University and across the country. Hackers don’t all work from the same playbook. They launch increasingly varied and sophisticated schemes that range from enticing job offers to threats to disable your email account.
Fortunately, you don’t have to be a cybersecurity pro to stay safe. Here are a few routine precautions to keep yourself in the game.
Do Duo Right
Multifactor authentication (Duo) is an important layer of protection for Pitt services. Pay attention to that ding! You should only approve a prompt that you initiate, within seconds of logging in. If you get a random Duo notification, that may mean someone has gotten your password and is trying to log into a Pitt service as you! You should Deny the Duo prompt and then immediately change your password at accounts.pitt.edu > Login & Security. If you accidentally accept an unexpected Duo prompt, contact the 24/7 IT Help Desk immediately to let them know. That’s key to helping them stop the attack before it spreads.
You can tell Duo to remember you for 24 hours, so it doesn’t trigger prompts all day long when you’re logging in from the same device. Not only is this really convenient, it also makes an odd Duo prompt more noticeable, since you shouldn’t expect another one the same day.
Know A Phishing Attempt When You See One
Ahh, the good old days when phishing attacks were so obvious. A Nigerian prince? Come on. These days, hackers are much more sophisticated. Phishing emails can spoof a legitimate email domain (like pitt.edu) and can be a clone of legitimate emails you’ve received from a company or person. Learn to spot the scams. Pitt IT identifies the top warning signs of a phishing email as:
- Creates a sense of urgency with immediate deadlines
- Invokes strong emotions, like excitement or fear
- Requests sensitive data, like a credit card or bank account number or your login credentials
- Contains links that don’t match legitimate resources for the organization contacting you
- Uses generic greetings (Dear user), generic content (a file has been shared with you – no file or sender name), or contains poor grammar and spelling
For more detailed information specifically about job and internship scams, check out the Career Center’s Tips for Avoiding Fraudulent Employers page.
Once your suspicions have been raised, check with the supposed sender in person, or log into the business site manually (not using the links in the email). Many a person has signed into their Amazon account and discovered that no odd purchase was actually made.
If it ain’t broke, don’t fix it. Throw those words of wisdom out the window when it comes to tech. Your device and apps may be working just fine, but that doesn’t mean everything is OK. Most software and app updates don’t deliver significant new program features. Rather, they include system and security updates that fix bugs and vulnerabilities. As hackers find their way past system safeguards, the vendors identify and remediate those risks. When you don’t install updates, you’re leaving the door wide open!
Don’t turn off or delay Automatic Updates. It seems like updates always want to install when we’re in the middle of something. But avoid the temptation to turn off Automatic Updates. Leave it on and if possible, let it run when it notifies you that it’s coming. It only takes a few minutes. Use the time to make a fresh cup of coffee, stretch your legs, or go to the restroom! If you do put it off, only do so for a few hours – set a reminder to install them when you’re done working.
Don’t Reuse Passwords; Do Use a Password Manager
If someone knows your nickname and birthday, could they get into every account you own? Many people need to be dragged into using unique and unguessable passwords for every account. To achieve that, you will need to use a password manager, since no one can remember dozens of random passwords.
A Password Manager may have a bit of a learning curve, but once you learn the ropes, you’ll wonder how you ever lived without it. It does all the work for you! If you log into an account it doesn’t recognize, it will prompt you to save the password for future use. If you create a new account while you’re browsing, it can suggest a secure password and then save the login info. As you browse to sites/accounts it has already saved, it will fill in the password for you with one touch. Easy peasy! All you have to do is remember one master password. It also ensures that your passwords are all synched between devices. Learn more about password hygiene.
These are just some of the cybersecurity tips you can use to keep your (and the University’s) data and accounts safe from hackers. The Pitt IT Security website has even more information, including how to connect to restricted University resources with PittNet VPN, downloading Malwarebytes for free, reporting security concerns, security training, and other best practices. Check it out today and celebrate your cyber-safety.
-- By Karen Beaudway, Pitt IT Blogger