There's an old proverb that states that, “An ounce of prevention is worth a pound of cure." That statement is especially true in terms of how you handle cybersecurity – it's much easier to prepare than it is to repair! One of the best things you can to protect yourself, and the university, is to embrace as many preventative practices as possible: use unique passwords and a password vault, don't open attachments or links from senders when you aren't expecting them, always use a VPN when you don't have a secure internet connection, make sure you create constant file backups, etc. We can't encourage you enough to take those steps!
But unfortunately, with bad actors getting more and more sophisticated, and with “zero-click" exploits becoming more popular, even the most diligent and cautious individuals may end up falling prey to a scam or ransomware of some sort. If that happens, it's important that you immediately take steps to protect your data and devices. Here are some tips if you think you've been targeted by, or are a victim of, a cyber-attack.
If you ever receive an email that includes
“phishy" behavior, it's important that you report the message immediately – especially if you interact with it. That would include doing things like clicking links, downloading files, forwarding the message to colleagues, or entering your personal information without verifying the sender first. If you interact with a potential spam message, make sure to immediately report it and then take some follow-up steps.
Reporting the Message
If you receive a phishing message to your Auburn email account, whether you interact with it or not, make sure to send it to
phishing@auburn.edu. Unfortunately, simply forwarding the email doesn't provide all the information that we need to combat similar attacks. Instead, we ask that you
send the original email as an attachment. If you receive a phishing message to your personal email account, check with your email provider on how to report that.
Following Up
Your next steps will depend on what kind of interaction you have with the message. If you clicked on a link or downloaded a file, you will want to run an anti-malware program to make sure that nothing malicious was added to your device. There are plenty of free malware-scanning programs available if you don't already have one. If you were prompted to enter any login information, you'll need to immediately change the password for any account using those credentials. See more about that in the section on passwords below. If you entered any information that could lead to potential identity theft (banking details or social security numbers), visit the
FTC's page on identity theft. Another concern with phishing attacks is possible spoofing – or someone sending a message as though they are you. If your personal email account is hacked, you may want to notify people in your address book that they should look out for suspicious messages that appear to come from you so they don't fall prey to the same scam.
You should set up 2-factor authentication for any account that offers it. A sure-fire way to know that someone else is using your credentials is if you get an authentication request that you didn't initiate. That could look like a text or email with a code that you're supposed to enter or a link to click on, or it may be a push notification through an authentication app like the Duo Mobile app that Auburn University uses. If you are not actively trying to log into an account, you should not approve or click on any authentication. You should immediately follow any reporting instructions that are available in the notification you received. You should also immediately change your password for the hacked account and any other accounts that use the same credentials – see more on that in the password section below.
We all get them from time to time - those little windows that pop up, notifying us that there are software updates available for our computer. Chances are, these always seem to present themselves right when we are in the middle of doing something seemingly important, so it's all too convenient to click on that “Remind Me Later" button. Later eventually rolls around, and our little pop-up friend is back once again, nagging us to install these updates and restart our computer. And just like during their last visit, we're right in the middle of something, and the cycle continues. However, that notification is not there just to pester us. There is actually significant importance in updating our software.
Bad actors make a habit of exploiting loopholes and flaws in applications and operating systems. The longer you wait for an update, the more vulnerable you are to cyber-attacks. If you fall victim to one, one of the first things you should do is make sure your system has its best defenses in place by being fully updated. Then you should go ahead and turn on the auto-update feature to bolster future protection.
Operating System update instructions: Windows, Mac, Android, iOS
Only Run Official Updates
While we're on the subject of device updates, it's important to note that those bad actors have also found a way to take advantage of the regular updates that are so crucial for functionality and security. Sometimes they run pop-up ads or send text messages instructing you to click links in order to run updates or prevent viruses. Anytime you see something like that, the best thing to do is go into your settings and manually check for updates. It make take a few extra seconds, but it's well worth the security benefits of confirming that you're installing the correct updates – and not accidentally downloading a virus!
If the cyber attack has anything to do with your social security number or any institution that has access to your financial records, you need to pull your credit report and make sure that all the transactions are 100% yours. You'll be able to see things like credit cards and usages as well as attempts to secure major loans for automobiles or homes. You should also be able to view a summary of banking and utility accounts. There are 3 major credit reporting entities, and you'll want to make sure you check all of them since they may update on different schedules.
Here are links to
TransUnion,
Experian, and
Equifax, the three primary credit bureaus.
Freeze Your Credit
Once you've confirmed that your credit report is only listing things that you have authorized, one of the best things you can do is freeze your account. You'll have to do this for each of the reports, but it's a free and simple process, especially if you've already created an account to check your report. Freezing your credit will not affect your score in any way, and it won't keep you from checking your credit, but it will prevent you from having any hard checks performed. That means no new loans or credit cards until you unfreeze it.
Setup Alerts
If you know you're about to open a line of credit for anything (a new phone, a new credit card, a new car, etc.) then you may not want to go through the steps of freezing your accounts quite yet. There are several services that allow you to set up alerts when there are certain types of activity linked to your finances. You have options such as knowing any time a credit check is started, anytime a new account is opened, or even if an account has an expenditure over a certain amount. Setting up alerts can help you keep track of what's happening and improve your awareness so you can act swiftly against any future attacks.
It may seem obvious, but it never hurts to reiterate an important point. If you suspect that any account that you have has been breached, make sure to change your login information for any account that shares the compromised password. This step is why we suggest the preventative measure or making all your passwords unique and storing them in a password vault. Don't forget that you get a free premium LastPass Account with your Auburn email address. Here are some things to think about when you're creating your new password.
Create Complex Passwords
Whenever you create a new password, make sure it's complex. That means it should contain a mix of uppercase and lowercase letters, numbers, and special characters. It should also be something that is not easy to guess or find out about you online such as your birthday, anniversary, pet's name, or school mascot. You should also avoid repeated or sequential numbers or letters such as 'aaaa' or '5678'.
Use 12 or More Characters
You may have heard the phrase, “a long password is a strong password." Many systems require you to create a password of at least 8 characters. However, the new standard is to have at least 12 characters in your password with some entities suggesting 16 or more. And as long as you don't just add '1234' or '!!!!' to the end of your existing password, then those 4 additional characters can make a big difference. If you consider a 4-digit pin for a phone or a debit card, there are 10,000 potential combinations of numbers. If you pick an 8-digit numeric password, it will be 1 of 100,000,000 possibilities. Adding JUST uppercase and lowercase letters gives you more than 2 million times as many combinations. That seems pretty unhackable, but it's not. There are computers that can run through those 200 trillion variations in less than 30 minutes. But a 12-character password, especially one that uses uppercase and lowercase letters, numbers, and special characters, has over 200 million times more combinations that are possible. That's nearly 300 sextillion available variations.
Never Share Login Info
Everyone knows that passwords are supposed to be a secret. But surely, it couldn't hurt to share your Netflix or Amazon Prime account with someone, right? And if you're busy during your registration time ticket, it would be fine to give your password to someone to register for you, right? WRONG. You should never, ever, under any circumstances share your login information with other people. Once someone writes down your password, whether digitally or on paper, there are countless ways for it to get out to other people.
If there is a reason to grant someone access to an account you own, such as a group project where everyone needs to get into a certain email account, or some account you share with your significant other, then share the credentials through LastPass. As long as you both have accounts set up, you can grant each other access to an account or application without ever having to say or write down the password. You also get to choose whether the people you share with can actually see the password or if it just gets stored in their vaults. And should the need arise, you can revoke that access at any time.