Skip to content
ApplyGive

Other ways to search: Events Calendar | UTHSC News

Tip of the Week

spar

Cybersecurity Tip of the Week Archive

2026
Calendar Invites Can Be Phishing Too
Scammers don’t just use email anymore; they also send fake meeting invitations that appear to come from colleagues, students, vendors, or campus offices. These invites may include links to “join a meeting,” review documents, or approve requests, and once clicked, they can lead to credential-stealing sites or malware downloads. Because calendar invites automatically add events and send reminders, they can feel more legitimate and harder to question. Always check the organizer’s email address carefully, be wary of unexpected meetings, and avoid clicking links in invites you weren’t expecting. When in doubt, verify the meeting through a known contact or access the meeting platform directly through its official website. (01/06/2026)
 
2025

Be Cautious of Scams Tied to Holiday Gift Returns

After the holidays, scammers take advantage of the return season by sending fake emails or texts claiming there’s a problem with a refund, return label, or store credit. These messages may look like they come from well-known retailers and often include urgent links asking you to “confirm your account” or “re-enter payment information.” Before clicking, slow down and verify the sender. Go directly to the retailer’s official website instead of using links in messages, and never share login credentials or payment details through unsolicited emails or texts. If a return issue is real, you’ll see it when you log in through the official site. (12/30/2025)

Auto-Forwarding Emails is a Hidden Risk

Auto-forwarding UTHSC email to a personal account is generally not permitted. While it may feel convenient, forwarding university email outside of the UTHSC environment creates security, privacy, and compliance risks. Personal email systems do not have the same protections, monitoring, or retention controls as UTHSC-managed email. Because of this risk, the UTHSC Email Standard (IT0002-HSC-C-Email) restricts forwarding university email to non-UTHSC accounts. Keeping email within the university system helps protect sensitive information, supports compliance requirements, and allows the university to respond quickly to security incidents. Convenience should never outweigh protecting institutional data. (12/16/2025)

Give Safely: What to Know Before You Donate

This week's tip comes from the National Cybersecurity Alliance, a non-profit organization that has been empowering a more secure, interconnected world since 2001. As this is the season of giving, they want everyone to be aware that scammers are preying on kind-hearted people who just want to help those in need. 

When a hurricane, flood, wildfire, or other tragic disaster strikes, many people respond with generosity. Unfortunately, cybercriminals respond just as quickly, launching scams that exploit our desire to help. With some precautions, you can reduce the chance of falling victim.

What to know:

Scammers exploit emotion and urgency

After tragedies or disasters, people want to help right away. But scammers often respond immediately, creating fake charities or even fake government-relief sites, to capitalize on that goodwill. If you feel pressured or emotional urgency to give, pause and verify the organization before donating.

Always verify the charity

Fake charities frequently use names or websites that mimic legitimate ones. Research potential charities at CharityNavigator.org and never click donation links in unsolicited messages. Instead, go directly to the charity’s official website.

Be extra cautious with crowdfunding and disaster-relief “volunteers”

Scammers sometimes set up fake crowdfunding pages using stolen photos and fabricated stories to trick donors. Before giving, make sure the campaign is run by someone you know or a verified, trusted source.

For more information see their webpage at https://www.staysafeonline.org/articles/how-to-avoid-charity-scams. (12/09/2025)

Think Before Your Click 

Cyber-scammers love the holidays because everyone’s juggling finals, travel plans, and peppermint lattes. If you get an email claiming your package is delayed, your account needs “urgent verification,” or your long-lost relative wants to send you a holiday fortune, take a moment before you click. Phishing messages this time of year are as common as ugly sweaters, and some are just as suspicious. Check the sender, verify the link, and report any suspicious communications to abuse@uthsc.edu. Stay merry, bright, and cyber-secure this holiday season! (12/02/2025)

Avoid Creating Passwords that Follow a Seasonal Theme

Around the holidays, attackers often try common, easy-to-guess passwords like Winter2025!, Noel123, SantaClause!, or SpringBreak2025. These may feel festive or timely, but they make your accounts more vulnerable to password-cracking tools that test predictable patterns. Instead, create strong, unique passwords using a mix of unrelated words, numbers, and symbols—something like RiverCoffee47! or BlueMapleSky%. Better yet, use a password manager to generate and store complex passwords for each account. A few extra seconds to create something unpredictable can help keep your personal data secure all year long. (11/25/2025)

Avoiding Online Shopping Scams

Scammers love the holidays as much as we do, just for very different reasons. As online shopping surges, so do fake websites, fraudulent ads, and too-good-to-be-true deals across social media. 

The National Cybersecurity Alliance has resources to help you stay safe this shopping season. 

First, they have a webinar tomorrow, November 19th, at 1pm CST to learn how to stay safe online while holiday shopping. You can register for the webinar here.   

They also have a holiday shopping toolkit with tips for safe holiday shopping, so the Grinch doesn't steal your holiday season! (11/18/2025)

Never Plug in an Unknown USB Drive

What looks like a free flash drive in a classroom, parking lot, or library could actually contain malicious software designed to infect your computer the moment it’s connected. Attackers sometimes leave infected USB drives in public areas, hoping someone will pick them up out of curiosity. Once plugged in, the malware can steal data, install ransomware, or give an attacker remote access to your system. If you find an unknown USB drive, bring it to the ITS Service Desk on the 6th floor of the Alexander Building (877 Madison) instead of testing it yourself. It’s never worth the risk; one click could compromise your computer, your data, and even the university network. (11/11/2025)

Back Up Your Work Regularly

Whether you're working on course assignments, research data, or departmental documents, having a secure backup can save you from losing hours, or months, of progress. Hardware fails, laptops get lost, files get accidentally deleted, and ransomware attacks can lock you out without warning.  Avoid relying solely on a single laptop or USB drive. You have access to Microsoft's OneDrive for cloud storage of all your UTHSC files. For personal devices and files, find a cloud-storage solution, or even an external hard drive, as a backup for your data. Set backups to happen automatically when possible, and keep copies in more than one trusted location. A reliable backup isn’t just a convenience; it’s an essential part of protecting your academic work and professional information. (11/04/2025)

Increase in Scams about Government Benefits 

With the current federal government shutdown creating confusion around pay, benefits, and agency operations, scammers are exploiting the moment by posing as agencies like the Social Security Administration, Veterans Affairs, or Internal Revenue Service, asking you to verify your benefits, pay a “processing fee,” or log into a “secure portal.”

Scammers are also taking advantage of the uncertainty of the funding for federal benefits programs. You might receive a text or call saying your EBT card is “locked,” your benefits will be cut, or you must pay a fee to keep your food assistance. In reality, no official SNAP or state agency will call or text you out of the blue and ask for your card number, PIN, or bank information.

Never click on unsolicited links, never give out your Social Security number, banking information, or login credentials, and always verify by using official agency contact methods found outside of the message you received.

Stay vigilant now, and you help protect not just yourself and your family, but our whole campus community. (10/28/2025)

What is Cybersecurity and Why is it Important to You?

Cybersecurity is simply protecting your digital life, devices, accounts, and data from being stolen, exposed, or damaged. Think of it as a shield for your information, whether that’s your research, classwork, or personal files. In higher education, cyber threats come from “malicious actors” who may want to steal data, spread malware, or disrupt campus operations. They do this through phishing, weak passwords, or outdated software. Because students, faculty, and staff rely on technology daily - email, Wi-Fi, cloud storage, and online learning, everyone plays a role in keeping the university secure.

In our connected world, almost everything we do involves technology. We bank online, shop online, work online, and socialize online. Every time you’re connected, you’re potentially exposed. If your digital defenses are weak, you become an easy target.

Cybersecurity isn’t just for big corporations with fancy IT departments. It’s for every single one of us. It’s about taking active steps to keep your digital life safe and sound. We’re talking about things like using strong passwords, being careful what you click, updating your software, and recognizing scams.

Think of cybersecurity as your digital armor. The stronger it is, the less likely you are to become a victim. (10/21/2025)

Windows 10 Has Reached End of Support — Time to Upgrade Your Defense

When an operating system reaches end of life, the vendor stops issuing security patches, bug fixes, and technical support. That means new vulnerabilities discovered after today won’t be fixed, leaving your system increasingly exposed. 

We have been advising people who use UTHSC Windows 10 machines that they need to upgrade. If your personal device was purchased before 2018, the hardware in that device cannot handle the software update to Windows 11. We highly recommend updating your devices to a supported operating system. 

Once security updates stop, any zero-day vulnerability or exploit could leave your device and data at serious risk. (10/14/2025)

Think Before Posting Online

Social media and academic forums are great for connecting, sharing research, or promoting campus life, but they can also expose more than you realize. Posting details about your class schedule, travel plans, research topics, or campus systems can give cybercriminals the clues they need to target you or UTHSC. Attackers often use public information to craft convincing phishing emails or social engineering attempts that seem personal and trustworthy. Before sharing, ask yourself: could this information be used to guess a password, answer a security question, or impersonate you? Keep personal and academic accounts separate when possible, adjust privacy settings regularly, and remember, once something is online, it can be difficult to take back. (10/07/2025)

Outsmarting Phishing on Campus

As promised, the third part in this phishing tip series is about what you can do to outsmart the bad actors who want to steal your information.  

Phishing attacks don’t just target individuals; they target universities because one compromised account can expose research data, student records, or entire systems. Awareness is important, but action is what keeps you and your institution safe:

    • Pause before you click - If an email or text sounds urgent — “your account will be locked” or “respond immediately” — take a moment. Attackers use urgency to bypass your judgment.
    • Verify through official channels - If someone claiming to be IT, a dean, or a vendor emails you with a request, don’t respond to the message directly. Contact them using a known university directory or campus website.
    • Inspect links before opening - Hover over links to see where they actually lead. Look for odd spellings, extra characters, or domains that don’t end in your institution’s official .edu address.
    • Turn on Multi-Factor Authentication (MFA) - We use DUO here on campus, but if you have the opportunity to have MFA on personal accounts, specifically sensitive accounts like banking, use it. Even if your password is stolen, MFA can block unauthorized access. 

Staying alert and taking a few extra seconds to verify can stop a phishing attempt before it becomes a campus-wide problem. (09/30/2025)

Real-Word Examples of Phishing - Have You Encountered Some of These?

In part two of a three-part series about Phishing, let's look at some real-life examples that we've seen either in our campus email or in people's personal email.

Phishing is constantly evolving, especially with the use of AI to make these phishes seem legitimate, but the core tactics remain the same - because they work!

Some high-level examples are:

    • The Access Scam – Fake emails warning that an account has been “locked due to suspicious activity.” Victims click to “restore access,” only to land on credential-harvesting sites.
    • Business Email Compromise (BEC) – Attackers impersonate executives and trick finance teams into wiring money. These scams have cost organizations more than $55+ billion globally since 2013, according to the FBI.
    • Smishing (SMS Phishing) – Texts claiming to be from banks, shipping companies, or delivery services. These often push users to click a malicious link, either to steal their login information or download malware.
    • Deepfake-Enabled Phishing – Emerging attacks now utilize AI-generated voices or videos to impersonate trusted individuals, making the scam even more difficult to detect.

While some of these scams utilize new technology, scammers are still relying on the same human triggers: urgency, curiosity, authority, or a desire for a reward.

Next week, in the third part of this series, we'll discuss how to outsmart these phishing attempts. (09/23/2025)

Why Phishing Preparedness Still Matters

We are three weeks away from October, which is Cybersecurity Awareness Month. We're taking these few weeks to do a deeper dive into Phishing and both help explain why it is still a billion-dollar business, and how you can protect yourself and loved ones from being victims. 

Phishing isn't a relic of the early internet. It is a thriving industry because it exploits something technology can't fix - human psychology. Firewalls, endpoint detection, and spam filters stop a lot, but they can't stop you from clicking a link if you are in a hurry or not paying attention. Almost 70% of data breaches involve the human. The solution is building resilience through awareness and good cyber hygiene habits. 

Why Phishing Works: The Psychology at Play

Phishing is successful because it manipulates how our brains make quick decisions. We like to think we're rational, but some of our decision-making is fast, emotional, and automatic. Scammers know this, and they design their messages with these in mind:

  • Urgency and Fear - a warning that your bank account will be frozen, or your email deleted, in 24 hours, creates panic, which short-circuits critical thinking. 
  • Authority and Trust - messages that look like they are from your direct supervisor, or higher up even, exploit our natural tendency to obey authority and want to help. 
  • Scarcity and Reward - limited-time offers, prize notifications, or "first come, first served" opportunities tap into our fear of missing out. 
  • Curiosity and Routine - "view invoice", "track shipment", or "see attachment" messages play on everyday tasks. Usually, the simplest messages can yield the highest click rates. 

This mix of emotional pressure and familiar context makes phishing still an effective means of manipulating humans to give away money or information. 

Next week, we'll look at some real-world examples you've probably seen in your daily life. 

Be cautious, stay informed, and report any suspicious communication to abuse@uthsc.edu. (09/16/2025)

Watch out for Homoglyph Attacks

Not all web addresses are what they seem. A homoglyph attack uses look-alike characters to trick you—for example, university.edu vs. unіversity.edu (the “i” in the second link is Cyrillic, not English). At a glance, the sites look identical, but the fake one is designed to steal your login. To stay safe, always hover over links before clicking, type addresses directly into your browser, and use bookmarks for official portals. If something looks suspicious, forward it to abuse@uthsc.edu for examination. 

If you want another example of a homoglyph attack, check out our Phishing webpage.  (09/09/2025)

Helping Older Adults Stay Safe Online

Did you know that older adults are the most frequently targeted group for online scams and lose billions each year? Staying safe online doesn’t require being a computer expert. Simple steps like creating strong passwords, spotting scams early, and keeping devices updated can make a big difference.

The National Cybersecurity Alliance has created a free workbook with clear, practical advice, no scare tactics or tech jargon. It’s designed to help older adults (and those who support them) build good online habits and avoid common scams.

Access the workbook and resources here.
Whether you use these tools for yourself, a parent, or a friend, you’ll gain confidence to enjoy the internet safely. (09/02/2025)

Charging Devices with Unknown (Public) Chargers - Don't Do It!

Would you use a phone charger in a public place labeled as a "charging station"? Depends on how desperate you are?

By using unknown chargers or USB points, you may be a victim of Juice Jacking without even knowing it. Hackers can leave chargers or tamper with public USB charging points in places like cafés, hotels, airports, or train stations. 

The moment you plug in, you think you’re charging your phone, but in reality, you could be giving cybercriminals direct access to your data. They can:

    • Copy personal files, photos, or contacts
    • Steal login details and financial information
    • Install malware that tracks your activity long after you unplug

It sounds far-fetched, but it happens more than you think. Something as innocent as topping up your battery in a public space can create a serious security risk.

How to stay safe? 

    • Always use your own charger and plug into a mains socket
    • Carry a portable power bank for backup
    • If you must use a public USB port, consider a USB “data blocker”

Cyber threats aren’t always sophisticated or high-tech; sometimes they’re hiding in plain sight, waiting for us to make a quick, convenient choice.

Stay alert. Protect your data. (08/26/2025)

Double-Check Login Pages

Phishing attempts often disguise themselves as legitimate university login portals. Attackers may send emails or texts with urgent messages, like “Your account will be locked” or “Verify your information now”, leading to a fake login page that looks nearly identical to the real one. Before entering your credentials, always look closely at the web address. Official UT systems will use our institution’s domain (such as *.edu) and should show a secure connection (https://). Never log in from an unexpected link in an email or message. Go directly to the university’s official website or the application's webpage instead. If something feels off, report it to ITS before you click. If it is a communication you can forward, send it to abuse@uthsc.edu, or call the ITS Service Desk at 901.448.2222 for assistance.  (08/19/2025)

Start the Semester with Cybersecurity in Mind

A new semester means new classes, new logins, and new opportunities for cybercriminals to target our campus community. Be cautious with any email or text asking you to verify your account, update your password, or claim a “student refund" or too good to be true job opportunity. These are common phishing scams at the start of the academic year. Always log into UTHSC systems through official portals—not links in messages. Use strong, unique passwords to protect both your UT and personal accounts. Staying vigilant now will help keep your personal information, coursework, and research safe all semester long. (08/12/2025)

Clean Up Old Accounts

Throughout your time at a university, whether as a student, faculty, or staff member, you’ll likely create dozens of accounts for online tools, conference platforms, learning resources, or class projects. Once those courses end or the project wraps up, it’s easy to forget about them. But these old accounts can pose a serious cybersecurity risk if they are left active and unsecured. If any of those services are breached, attackers could access personal or institutional information or use password reuse to target other accounts, including your university login. Make it a habit to periodically review your accounts, delete ones you no longer need, and use a password manager to track them. Always use strong, unique passwords, and never use your university credentials for third-party sites unless officially approved. Cleaning up your digital footprint reduces your exposure and strengthens both personal and university security. (08/05/2025)

Keep Your University Email Professional and Secure

Your university email address isn’t just a communication tool—it’s a representation of your role within the institution, whether you're a student, faculty member, or staff. It’s often used to access university systems, submit academic work, collaborate on research, or handle sensitive data like student records or grant information. It’s critical to use it carefully and keep it secure. Avoid signing up for personal services, mailing lists, or third-party apps with your .edu account. These can increase your exposure to spam, phishing, or data breaches. Never forward institutional or sensitive emails to personal accounts or share your login credentials with others. If your email is ever compromised, it can be used to impersonate you, spread phishing attacks, or access restricted university resources. (07/29/2025)

Watch & Learn: Social Engineering in 1 Minute!

This week’s tip is a little different—because we know everyone learns in different ways. Instead of reading a tip, watch one!

In just 1 minute and 16 seconds, this short training video explains how social engineers manipulate people to get sensitive information—and how you can stop them.

It’s quick, it’s clear, and it’s definitely worth your time to help you stay safer:  Watch the video now   (07/22/2025)

Lock Devices in Shared Spaces

University campuses, even ours, are full of shared and open-access spaces— the library, study lounges, classrooms, labs, and places like GEB and the SAC. It only takes a few seconds for someone to swipe an unattended laptop, tablet, or phone. Always lock your screen when stepping away, even briefly. Better yet, take your device with you. Enable full-disk encryption and configure automatic screen lock after a short period of inactivity to protect the data on your device. Faculty and researchers should be especially cautious—lost devices can expose sensitive research, student records, or personal files. Students are also at risk if classwork, financial data, or login credentials are compromised. Think of your device like your wallet: never leave it unguarded in public. (07/15/2025)

Beware of Impersonation Scams

Cybercriminals often pose as university leaders, like deans, department chairs, or even the chancellor, to trick you into sending money, gift cards, or confidential information. These emails may appear urgent, casual, or oddly brief, often asking you to “do a quick favor” or respond right away. Watch for red flags, such as unfamiliar email addresses, requests for secrecy, or unusual grammar. Even if a message seems to come from someone you know, verify before taking action, especially if money or sensitive information is involved. Use a known phone number or university directory to contact the sender directly. Never reply to suspicious messages or click unknown links. When in doubt, report it to abuse@uthsc.edu for examination. (07/08/2025)

Think Before Your Click - Even on Prime Day

Always verify the sender before trusting an email or social media post. Cybercriminals often impersonate trusted brands like Amazon, especially around major events like Prime Day. A post or email may look like it's from Amazon, but on closer inspection, the sender’s address or URL might reveal it’s actually from a third-party scammer trying to steal your personal information.

Before clicking any links, hover over them to inspect the URL, and never enter login or payment information from suspicious sources. When in doubt, go directly to the official website instead of following a link. Scammers love Prime Day — don’t let them love your data too. (07/01/2025)

Don’t Reuse University Credentials (NetID and Password)

Reusing the same username and password is very convenient, but not secure. It’s tempting to use the same email and password combination across multiple websites, but reusing your university credentials outside of official systems puts the entire campus at risk. If a third-party site is breached (and many are), attackers can test those credentials against university systems to gain access to sensitive data, research, or personal information. This technique, known as credential stuffing, is one of the most common ways attackers break into UT accounts. Always use a unique, strong password for your university login, and never enter your .edu email and password on non-university platforms. Better yet, use a password manager to keep things secure and organized. (06/24/2025)

Protect All Your Personal Information

When it comes to cybersecurity, protecting more than just your passwords and credit card details is crucial. Every piece of personal information—like your address, date of birth, or even seemingly harmless details such as your pet’s name—can be compiled by cybercriminals to commit identity theft or other malicious activities.

Why It Matters:

  • Identity Theft: Hackers can use multiple data points to impersonate you and access sensitive accounts.
  • Social Engineering: Even small details can be exploited to manipulate you or others into revealing more critical information.
  • Targeted Scams: Personalized scams become easier when criminals know more about you.

How to Stay Safe:

  1. Limit Sharing: Be cautious about sharing personal details online, especially on social media.
  2. Use Privacy Settings: Adjust privacy settings on your accounts to restrict who can see your information.
  3. Be Skeptical: Question why someone is asking for your information and verify their legitimacy.
  4. Secure All Data: Protect not just financial data but all personal details with strong passwords and encryption.

By safeguarding all aspects of your personal information, you reduce the risk of becoming a target for cybercriminals. Stay vigilant and protect your digital footprint! (06/17/2025)

Texting Scams  On the Rise

Scams received via text, or SMS messaging, are called smishing. This type of scam is on the rise as cybercriminals increasingly use text messages to trick individuals into revealing sensitive information or clicking malicious links. 

Over the weekend, my husband informed me of a text he received from the Tennessee Department of Motor Vehicles (DMV) stating that he had an outstanding traffic ticket. If he didn't pay it within 24 hours, penalties could be as severe as the suspension of driving privileges for 30 days. 

What are the red flags with this text? #1 - the DVM doesn't keep a list of traffic tickets, which is in the hands of the jurisdiction of the officers who wrote them. #2 - sense of urgency. #3 - it came from an unofficial sender. #4 - the government doesn't use text messaging to contact people, they use official, written documentation mailed to you. 

Protect yourself from these types of scams the same way you've been taught with phishing emails. Verify the source, avoid clicking links or calling the phone numbers provided in the text, and don't continue the conversation via text. Block the number, and if possible, report the incident to your carrier.  (06/10/2025)

Dedicated Email Time (What??)

How often do you find yourself juggling a million things at once? Multitasking has become the norm in today's world. But here’s a secret: when it comes to email, especially with sneaky phishing attacks on the rise, being too distracted can make you more vulnerable.

Those clever phishing emails are designed to look legitimate and create a sense of urgency. If you’re stressed, rushing, or just not giving your full attention to an email, you’re much more likely to miss those tell-tale red flags – a weird sender address, a slightly off logo, or a suspicious link. Even the most tech-savvy folks can fall for a well-crafted phishing scam when they’re trying to do too many things at once.

The solution is simpler than you might think: dedicate specific time to your inbox and eliminate distractions. 

Pick a few specific times each day (e.g., 9 AM, 1 PM, 4 PM) when you only focus on your email. Close other tabs, silence other alerts, and give your inbox your full, undivided attention. This allows you to carefully read emails, spot anything suspicious, and respond thoughtfully. (06/03/2025)

Importance of Backing Up Your Data

Data loss can happen unexpectedly through hardware failure, accidental deletion, malware attacks like ransomware, or even natural disasters. Backing up your data ensures you can recover important files, avoid paying ransoms, and maintain business continuity.

Why It Matters:
Ransomware can lock you out of your data. Without a backup, you could lose everything. Regular backups act as your safety net, allowing you to restore files without depending on hackers or luck.

Smart Ways to Back Up Your Data:

  • External Drives: Use USB drives or external hard drives for offline backups. Disconnect them after backing up to prevent malware access.
  • Cloud Storage: Services like Google Drive, Dropbox, iCloud, or OneDrive provide easy, off-site backup solutions with version history.
  • Automated Backup Software: Set scheduled backups using tools like Mac Time Machine, Windows File History, or third-party apps like Acronis or Backblaze.
  • 3-2-1 Rule: Keep 3 copies of your data—2 on different devices or media, and 1 off-site (like the cloud).

Backups are boring until you need them—then they’re a lifesaver. Make it a habit! (05/27/2025)

Protecting Your Personal Devices

While most of these tips are to protect UT Health Science Center and our assets, we do care about your personal devices and their protection. To keep your personal devices secure, follow these essential tips:

  1. Use Strong Passwords: Create unique and complex passwords for each device and account. Avoid using easily guessable information like birthdays or common words.
  2. Enable Two-Factor Authentication (2FA): Enabling 2FA on your accounts adds an extra layer of security. This requires a second form of verification, such as a code sent to your phone.
  3. Keep Software Updated: Regularly update your device’s operating system and applications to patch any security vulnerabilities.
  4. Install Security Software: Use reputable antivirus and anti-malware software to protect against threats.
  5. Be Cautious with Public Wi-Fi: Avoid accessing sensitive information over public Wi-Fi networks. Use a VPN (Virtual Private Network) for a secure connection.
  6. Backup Your Data: Regularly back up important data to a secure location, such as an external hard drive or cloud storage, to prevent data loss in case of an attack.
  7. Beware of Phishing Scams: Be cautious of unsolicited emails, messages, or links that ask for personal information. Verify the source before clicking on any links.

By following these steps, you can significantly enhance the security of your personal devices and protect your sensitive information from cyber threats. You can find more information on our Protect Yourself webpage. Stay vigilant and secure! (05/20/2025)

Be Careful When Signing Into Apps With Social Media Accounts

Avoid using your social media accounts (like Facebook or Google) to sign into apps or websites. While it's convenient, it creates a single point of failure — if that social account is ever hacked, every connected app could be compromised too. Another issue is information sharing between that app and your social media account. This might include your name, email address, friends list, and even your likes and interests. This should be a privacy concern for you.  Instead of using these social media accounts, create separate logins with strong, unique passwords to reduce risk and better control your information.  (05/13/2025)

Understanding and Spotting Deepfakes

Deepfakes are synthetic media—usually videos or audio—created using AI to mimic real people’s faces, voices, or actions. They're a growing cybersecurity concern because they can be used for impersonation, fraud, or spreading misinformation. To spot a deepfake, look for unnatural facial movements, inconsistent lighting, mismatched audio and lip-sync, or strange blinking patterns. Always verify suspicious content from a trusted source before believing or sharing it.

By staying vigilant and informed, you can better protect yourself from the potential threats posed by deepfakes. (05/06/2025)

Discounted phone, TV, or internet services if you pay with a gift card? No, it’s a scam

Have you gotten a robocall about a discount on phone, TV, or internet services? Scammers are pretending to be businesses and making robocalls about “discounted services” if you pay with a gift card. It’s a scam. Here’s how the scam works so you can avoid it.

You get an unexpected robocall from someone who says they’re with a company like AT&T, Spectrum, or Comcast Xfinity. They say there’s a 40-50% discount available if you act now. They might say the discount is for future bills, service bundles, or even products like a new Apple Watch — but then they say you have to buy a gift card and pay them up front by giving them the gift card numbers to secure the offer. That’s a scam. They might also ask you to confirm your account information to apply the discount, but if you do, they could use that info to hack into your account.

To avoid a scam like this:

  • Take your time. Scammers pressure you to act fast. They don’t want you to have time to think about what they’re saying. Take your time to be sure you understand the offer.
  • Check it out. To confirm the offer is real, reach out to the company that’s supposedly offering the promotion. But use a phone number or website you know is right — not the number in the robocall message.
  • Know how scammers tell you to pay. Gift cards are for gifts, not for payments. Only scammers will tell you to pay with gift cards.

Already paid or gave your information to a scammer? Read What To Do if You Were Scammed to find out what to do next. And tell the FTC at ReportFraud.ftc.gov.  (04/29/2025)

Beware of Unverified QR Codes

Think before you scan — cybercriminals can create fake QR codes that lead to malicious websites, steal your data, or install malware on your device. Only scan codes from trusted sources, and always preview the link before opening it. Stay smart, stay safe! (04/22/2025)

Protecting Your Taxes on Tax Day

As Tax Day is upon us, it’s crucial to be vigilant about the security of your tax information. Cybercriminals often exploit this time to launch scams and phishing attacks aimed at stealing personal and financial data. Here are some tips to keep your tax information secure:

  1. Verify Sources: Only use trusted and secure websites for filing taxes or accessing tax-related information. Look for URLs that start with “https://”.
  2. Beware of Phishing Scams: Be cautious of unsolicited emails or messages claiming to be from the IRS or tax services. Do not click on links or download attachments from unknown sources.
  3. Use Strong Passwords: Ensure that your accounts related to tax filing are protected with strong, unique passwords.
  4. Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA on your accounts.
  5. Monitor Your Accounts: Regularly check your financial accounts for any unauthorized transactions or suspicious activity.

By following these tips, you can help protect your personal and financial information during tax season. Stay safe and secure! (04/15/2025)

Using AI Applications and Data Privacy

As AI applications become more integrated into our daily activities, it’s crucial to be mindful of data privacy. Here are some tips to protect your data when using AI technologies:

  • Limit Data Sharing: Be cautious about the data you input into AI applications and avoid sharing sensitive information unnecessarily.
  • Know your Data Classification: never put sensitive or protected data into a public generative AI tool; even be very cautious of what you input into a private tool. You might know how un-private it could be. 
  • Understand Permissions: Review the permissions requested by AI applications and ensure they are necessary for the app’s functionality.
  • Stay Informed: Keep up-to-date with best practices for data privacy and AI usage.
  • Use Trusted Sources: Only download AI applications from reputable sources to reduce the risk of data breaches.

By following these guidelines, you can leverage AI technologies while safeguarding your personal information. Stay vigilant and protect your data! (04/08/2025)

Don’t Be Fooled by Social Engineering and Phishing Scams This April Fools’ Day

April Fools’ Day is a time for fun and pranks, but it’s also a prime opportunity for cybercriminals to launch social engineering and phishing scams. Here are some tips to help you stay vigilant and avoid falling victim to these tricks:

  1. Verify the Source: Be cautious of unexpected emails, messages, or calls, even if they appear to come from trusted sources. Always verify the sender’s identity before clicking on links or providing any information.
  2. Look for Red Flags: Watch out for generic greetings, urgent requests, or suspicious attachments. These are common tactics used by scammers to create a sense of urgency and trick you into acting quickly.
  3. Check URLs Carefully: Hover over links to see the actual URL before clicking. Ensure it leads to a legitimate website and not a spoofed or malicious site.
  4. Use Security Software: Keep your antivirus and anti-malware software updated to detect and block potential threats.
  5. Educate Yourself and Others: Stay informed about common phishing tactics and share this knowledge with friends, family, and colleagues.

By staying alert and following these tips, you can enjoy April Fools’ Day without being fooled by cybercriminals. Stay safe online! (04/01/2025)

Protecting Your Smartphone from Scams

Have you gotten a text about an undelivered Amazon package? How about one from UPS? Smartphones are increasingly becoming targets for scams due to their widespread use and the sensitive information they contain. Be cautious of phishing texts (smishing), fake apps, and suspicious links sent via SMS or messaging apps. Never click on unknown links, and always verify the sender. Enable two-factor authentication (2FA) and keep your device updated to stay protected. By following these steps, you can help safeguard your smartphone against potential scams and keep your personal information secure. Stay vigilant! (03/25/2025)

Understanding the Revised Acceptable Use of IT Resources Policy

The University of Tennessee has recently revised its Information Technology Policies, including the Acceptable Use Policy. Please take a moment to review the updated policy to ensure your understanding and to protect your data. While incidental or casual personal use is allowed, the best action is to separate work and personal activities on different devices. Stay digitally secure! (03/18/2025)

Be Cautious Downloading "Free" PDF Software

Some, like Smart PDF Pro, may come bundled with potentially unwanted programs (PUPs) such as the OneStart.ai browser, which can hijack your search engine, track browsing habits, and degrade system performance. Many of these issues arise when users download such software while working remotely, where our firewall can’t block these unwanted programs. Instead of risky free tools, remember that UT provides licensed Adobe software that is already paid for and safe to use. Always download software from trusted sources, read installation prompts carefully, and use reputable antivirus software to detect and block PUPs. (03/11/2025)

Avoid Tax Scams

It's tax season! Cybercriminals tend to focus on phishing scams related to tax season, posing as the IRS or tax professionals. Beware of emails, texts, or calls claiming you owe taxes or are due a refund,  especially if they demand urgent action or request personal information. The IRS never initiates contact via email, text, or social media. Always verify tax-related messages by visiting the official IRS website (irs.gov), and never click on suspicious links or attachments. Stay alert and protect your financial data! (03/04/2025)

Beware of Phishing Emails from Local Organizations

Phishing is a deceptive technique cybercriminals use to trick individuals into revealing sensitive information, such as login credentials, or installing malware on their devices. Sometimes they come from local businesses or organizations. These emails can be especially convincing because they exploit the trust and familiarity people have with these entities.

Remember that anyone’s email can be compromised, so if the email is from a legitimate source, it doesn’t mean that the cybercriminals don’t have control over that account. If there is an attachment or a link you are not expecting, verify the source by contacting that organization directly using a known and trusted method – meaning don’t call the phone number in the suspicious email, but look for their official website for contact information. (02/25/2025)

Beware of Malware-Injected CAPTCHA pages

Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure verifying a user is human and not a computer. You've seen these boxes you need to click to confirm "I am not a robot".  However, Cybercriminals increasingly use fake Captcha pages to trick users into downloading malware. These deceptive pages often appear when visiting compromised websites or through phishing links. They may prompt you to download a supposed "verification" file—often laced with malware.

What to watch for:

  • Unusual Captcha behavior - real Captchas don't ask you to download files. If one does, it's a scam. 
  • Mismatched branding - look for inconsistencies in logos, fonts, or URLs or webpage structures.
  • Unexpected redirects - if Captcha leads you to a random download, exit immediately.

By staying vigilant and following these tips, you can protect yourself from falling victim to malware hidden in CAPTCHA pages. Stay safe online! (02/18/2025)

Smishing: Text Messaging Scams - What You Need To Know

Just like phishing emails, "smishing" attacks use deceptive tactics to trick people into revealing personal or financial information or downloading malicious software. But instead of targeting inboxes, these scams arrive via text message.

How Smishing Attacks Work:

  • Spoofed Numbers: Scammers often use spoofed phone numbers to make it appear as though the message is from a legitimate source, like your bank or a delivery service.
  • Urgent Messages: Smishing attacks often create a sense of urgency, urging you to click on a link or take immediate action.
  • Shortened Links: Be wary of links that are shortened using services like bit.ly or goo.gl. These links can mask the true destination of the website.
  • Requests for Personal Information: Scammers may ask for your Social Security number, bank account details, or other sensitive information.

How to Protect Yourself:

  • Be Skeptical of Unexpected Texts: Don’t click on links or download attachments from unexpected text messages, even if they appear to be from a legitimate source.
  • Verify Information: If you receive a text message requesting personal information, verify the request by contacting the organization directly through a known phone number or official website.
  • Use a Strong Password: Create a strong, unique password for your mobile device and enable two-factor authentication.
  • Report Suspicious Texts: Report suspicious text messages to your mobile carrier and the Federal Trade Commission (FTC).

By being vigilant and following these tips, you can protect yourself from smishing attacks and keep your personal information safe. (02/07/2025)

Data Privacy Awareness

You may not have been aware, but this past week was Data Privacy Week, a week dedicated to empowering individuals and businesses to respect privacy, safeguard data, and enable trust. It is only appropriate that this week's tip is on data privacy. 

To protect your data privacy, knowing where your personal information is stored and shared is crucial. Here are some key points to consider:

  1. Know Where Your Data Is: Regularly review the apps and services you use to understand what data they collect and how they store it.
  2. Limit Data Sharing: Be cautious about sharing personal information online or with third-party services. Only provide necessary details and avoid oversharing.
  3. Review Privacy Settings: Check and adjust the privacy settings on your devices, apps, and social media accounts to control who can access your information.
  4. Read Privacy Policies: Take the time to read the privacy policies of the services you use to understand how your data is being used and protected.

By staying informed and mindful of where your data is and how it's shared, you can better protect your privacy and reduce the risk of unauthorized access. (01/31/2025)

Securing Smart Home Devices

Maybe your home has a doorbell camera, or a thermostat you can adjust via an app. Maybe you have a baby monitor you can check from anywhere, or an over you can turn on when not at home. These smart home devices are internet-connected devices and appliances designed to make our homes more efficient, comfortable and sometimes even more secure. However, this convenience also comes with risks if not properly secured. When hacked, intruders can access your personal information, spy on your daily activities, and even control the physical devices inside your home. 

To keep your smart home devices secure, follow these essential tips:

  1. Change Default Passwords: Always change the default passwords on your devices to strong, unique passwords.
  2. Enable Two-Factor Authentication (2FA): Use 2FA where available to add an extra layer of security.
  3. Keep Software Updated: Regularly update the firmware and software of your devices to protect against vulnerabilities.
  4. Secure Your Network: Use a strong password for your Wi-Fi network and consider setting up a separate network for your smart devices.
  5. Disable Unused Features: Turn off features you don’t use, such as remote access, to reduce potential entry points for attackers.

By following these steps, you can significantly enhance the security of your smart home environment. (01/24/2025)

Protect Yourself from Credential Stuffing

Last week's tip about Credential Phishing mentioned Credential Stuffing. This type of cyber attack takes username/password pairs, or "credentials" from past data breaches, and attempts to use that same pair to gain access to other accounts for that user. 

To stay safe:

  • Use unique passwords for every account.
  • Enable multi-factor authentication (MFA) wherever possible.
  • Monitor for suspicious logins and unauthorized activity.
  • Consider a password manager to generate and store strong, unique passwords.

Reusing passwords makes you an easy target. Stay one step ahead by keeping your credentials secure! (01/17/2025)

Beware of Credential Phishing

Credential phishing is a cyberattack where scammers trick you into revealing your login credentials, such as usernames (NetID) and passwords. These attacks typically come in the form of fake emails, text messages, or websites designed to look legitimate. These scams have increased over 700% in the second half of 2024. 

Why Should You Care?
If attackers gain access to your credentials, they can:

  • Steal sensitive information: Access your email, bank accounts, or UTHSC systems.
  • Compromise your identity: Impersonate you to commit fraud or target others.
  • Gain more access to your life: If you use the same password across multiple accounts, scammers will try those same email and password combinations on other platforms. This is called Credential Stuffing, which will be explained in next week's tip. 

How to Protect Yourself:

  1. Verify Links: Hover over links to check their actual destination before clicking.
  2. Be Skeptical: Watch for generic greetings, urgent requests, or unexpected attachments.
  3. Use Multi-Factor Authentication (MFA): Even if your password is compromised, MFA adds an extra layer of protection.
  4. Report Suspicious Activity: If the activity is related to UTHSC, forward the suspicious communication to abuse@uthsc.edu. If it concerns a personal account, contact the owner or business of that account, e.g., your bank, social media account, etc. 

Staying vigilant can protect both you and UTHSC from significant harm! (01/10/2025)

Stick to Approved Sources for Software

When it’s time to download a web browser or any common application or software, always use approved software libraries like SCCM or Company Portal for Windows, or Self Service for Apple devices. These trusted sources ensure you get legitimate, up-to-date software without hidden malware or vulnerabilities. Avoid clicking on links from unknown websites—what looks like a harmless download could be a trap. Downloads from webpages often include other software you don’t want or need. Protect your system and data by keeping it clean, secure, and sourced from reliable repositories.

For UTHSC-owned Windows devices, you have SCCM or Company Portal as your library. Search for either by clicking the Windows icon in the lower left-hand corner of your screen and start typing to find which one you have.  For Macs, open the Self Service application, which appears on your Dock, or in your Applications folder. (01/03/2025)

2024

Invite Cybersecurity to Your Holiday Gatherings

There’s always so much to remember around the holiday season, and it’s all very important. But one item you don’t want to forget is cybersecurity. This holiday season, keep cybersecurity at the forefront of your mind while you are scouring the web for deals, wrapping goodies, and supporting your community. These simple reminders will help you keep your data safe and make your holidays happy.

Too good to be true
Online ads and tempting deals can be enticing, but they can also be traps. Beware of offers that seem too good to be true. Hackers place advertisements all over, even on social media, and those links could lead you right into a holiday data-stealing trap! Stick to well-known, reputable websites and sellers.

Secure your gift cards
Be cautious when websites or vendors insist on payment through gift cards. Scammers often prefer this method, as it’s difficult to trace and recover gift card funds. Legitimate sellers should accept conventional payment methods. If you are only given the option of using a gift card, stop the payment process and find a different website to shop from!

Don’t know it? Don’t trust it!
When shopping online, stick to trusted sources and known retailers. Avoid visiting random or suspicious websites. Choose established e-commerce
platforms and stores with a track record of reliability. If you need to check on shipping and delivery updates, you can go back to the trusted site to review those and dismiss any phony alerts you may receive.

Protect your new gadgets
Getting a new gadget is always exciting, but it’s important to be smart about how you use it. Hackers know about Internet of Things (IoT) devices and how to access them. Be sure to follow best practices when firing up these new toys. Change the default password, check all security settings, disable any unnecessary permissions, and keep it up to date to safely enjoy your devices.  (12/20/2024)

Looking for a Charity?

In this season of giving, you might be looking for a reputable charity to donate to. However, many scammers are pretending to be charities that will take your money and do no good with it.

Charity Navigator provides free access to data, tools, and resources to guide philanthropic decision-making. Using a tool like Charity Navigator can help you ensure that your donations are going to a legitimate charity, keeping you, your data, and your money safe from scammers this holiday season.

Visit it at https://www.charitynavigator.org/discover-charities/  (12/12/2024)

How to Avoid Scams

We warn about scams a lot. There are many out there, from romance scams to Amazon or UPS delivery scams, from Grandparents (or elderly) scams to tech support scams.  While these scams follow different playbooks, they have common red flags that, if you can recognize them, will help you avoid these scams.

  • Never text back if the message was unexpected. Don’t even tell them they have the wrong number.
  • Hang up and call back. If you receive an unexpected phone call from a loved one, law enforcement, or someone else claiming authority, hang up and call back through a number from your contacts list or verify through a web search.
  • Have a safe word. Talk to your family and agree to a safe word or phrase that could be used if someone is distressed during a phone call. If you get an unsettling phone call from a loved one, ask for the safe word. Never post this information online or send it through text or email.
  • Refuse to pay the suspicious way. Scammers generally request payment in forms like gift cards, crypto, or wire transfers, so any request to pay these ways is a red flag.
  • Be wary of social media and dating apps. Scammers pose as genuine users on these platforms to connect with potential victims.

If you suspect that you or someone you know is the victim of a scam, stop sending money immediately and end contact. The scammer might become threatening, angry, or attempt to make you feel guilty, but this is a persuasion technique and you have the power.

Don’t delete messages – take screenshots for evidence. 

Report that you’re a victim of a scam to:

  • Your bank or other financial institution
  • ic3.gov
  • Your local police department
  • If it is UT Health Science Center-related, forward it to abuse@uthsc.edu  (12/06/2024)

Be Suspicious of Holiday-Themed Emails

As this year’s holiday season starts, don’t let your guard down with holiday-themed emails! Cybercriminals often use fake party invitations, charity requests, or travel confirmations to trick you. Always verify links and attachments before clicking—think twice, celebrate safely! (11/27/2024)

How to Create a Strong Password

Time and time again, we tell you to use strong passwords to protect your information. But just how do you do that?  Here are some tips to get you started:

  • Think passphrase, not password. Use a combination of four or five unrelated words you can easily remember but others can’t guess. For example: “TacoRainBikeJazz!”
  • Add complexity: Include a mix of uppercase, lowercase, numbers, and special characters.
    • Side note – the first letter doesn’t need to be the one capitalized – Tiger might be easily guessed, but would tiGer?
  • Keep it long: Aim for at least 12-16 characters.
  • Avoid personal info: No names, birthdays, or obvious patterns.

Example: “Blue$Lion99@Moon” is strong, memorable, and secure!

Bonus Tip: Use a password manager to store unique passwords for every account! (11/22/2024)

Holiday Shopping

How did it get to be the middle of November already? Have you started your holiday shopping yet?  Feeling just a little bit panicked? Unfortunately, this time of year is when scammers will attempt to lure you into clicking on links for "too good to be true" deals, visiting unsecured websites, and stealing your hard-earned money. Here are some tips for staying safe while shopping online. 

  • Shop on Secure Websites: Look for URLs that start with "https://". However, know that scammers will build websites that have these security features, so don't just stop here!
  • Use Strong Passwords: Create unique, strong passwords for your shopping accounts and enable multi-factor authentication (MFA) where possible.
  • Avoid Public Wi-Fi: Refrain from making purchases over public Wi-Fi networks, which can be less secure. If necessary, use a VPN to encrypt your connection.
  • Monitor Your Accounts: Regularly check your bank statements and credit card activity for any unauthorized transactions.
  • Be Wary of Deals Too Good to Be True: Scammers often lure shoppers with unbelievable offers. Stick to reputable retailers and verify deals before purchasing.

The Office of Cybersecurity has a Holiday Scam webpage to advise you on the latest holiday scams to be cautious about.  (11/15/2024)

Staying Safe on Social Media

Protect Your Personal Information
To stay safe on social media, managing your privacy settings and being cautious about sharing personal details is essential. Avoid posting sensitive information like your home address, phone number, or financial details.

Use Strong Passwords and MFA
Always use strong, unique passwords for each social media account and enable multi-factor authentication (MFA) when available. This adds an extra layer of security against unauthorized access.

Be Wary of Phishing Scams
Stay vigilant against phishing attempts by being cautious with unsolicited messages or friend requests from unknown individuals. Verify the authenticity before clicking on links or downloading attachments.

By following these tips, you can significantly enhance your online safety while enjoying the benefits of social media. Stay proactive in protecting your personal information from cyber threats! (11/08/2024)

Safeguarding Mobile Devices from Social Engineering Attacks

With the growing reliance on mobile devices for accessing work-related information, we all must remain vigilant against social engineering attacks targeting these devices.

With 16+ billion mobile devices in use worldwide, new data reveals how bad actors are shifting focus from the standard email phishing attempts to mobile devices. Zimperium's 2024 Global Movile Threat Report states some interesting statistics:

    • The average smartphone has 80 apps installed, with 5-11 being work-related
    • 85% of the apps on the device are personal apps that all have some potential impact on the organization's risk exposure

Key Tips for Using Mobile Devices Securely

1. Stay Alert to Phishing Attempts

      • Be cautious of unexpected emails, text messages, or app notifications asking for personal or work-related information.
      • Verify the sender’s identity independently before clicking on links or downloading attachments.

2. Use Strong Authentication Methods

      • Enable multi-factor authentication (MFA) on all accounts accessed via your mobile device.
      • Use biometrics (e.g., fingerprint or facial recognition) and strong passwords to enhance security.

3. Keep Your Device Updated

      • Regularly update your device’s operating system and apps to protect against known vulnerabilities.
      • Enable automatic updates when possible to ensure you receive the latest security patches promptly.

4. Install Security Software

      • Use reputable antivirus and anti-malware apps designed specifically for mobile devices.
      • Configure the software to perform regular scans and monitor for suspicious activity.

5. Be Wary of Public Wi-Fi Networks

      • Avoid accessing sensitive work information over public Wi-Fi networks, as they can be easily compromised.
      • Use a virtual private network (VPN) if you must connect to public Wi-Fi, ensuring a secure connection.

6. Restrict App Permissions

      • Review and limit app permissions to only what is necessary for functionality.
      • Be cautious of apps requesting access to sensitive data or system functions without a clear need.

7. Report Suspicious Activity Promptly

      • If you suspect your device has been compromised or you have encountered a phishing attempt, report it immediately to the Office of Cybersecurity by contacting itsecurity@uthsc.edu or abuse@uthsc.edu.
      • Quick action can help mitigate potential damage and prevent further exploitation.

Following these tips can significantly reduce the risk of falling victim to social engineering attacks on your mobile device. Stay vigilant and proactive in safeguarding both your personal and work-related information from cyber threats. (11/01/2024)

Why 3rd-party Payment Services Are Safer Than a Credit Card

When it comes to payment methods, using third-party services like Samsung Pay or Google Pay can offer enhanced security features compared to traditional credit card usage. Here’s a breakdown of why these digital wallets might be safer:

1. Tokenization
Third-party payment services use tokenization, which replaces your actual card details with a unique token during transactions. This means your real card information is never shared with merchants, reducing the risk of data breaches.

2. Device-Specific Authentication
Services like Samsung Pay and Google Pay require device-specific authentication methods such as fingerprint scanning, facial recognition, or PIN entry before completing a transaction. This adds an extra layer of security that physical credit cards do not provide.

3. Encrypted Transactions
All transactions made through these services are encrypted from end to end. This ensures that sensitive information is protected throughout the entire process.

4. Reduced Physical Card Usage
Using digital wallets minimizes the need to carry physical cards, which can be lost or stolen. Even if someone gains access to your phone, they still need to bypass biometric or passcode security measures.

5. Real-Time Monitoring and Alerts
These platforms often provide real-time transaction notifications and easy access to recent activity logs, allowing you to spot any unauthorized charges quickly.

Tips for Maximum Security:

    • Enable Two-Factor Authentication: Use two-factor authentication for added security.
    • Monitor Transactions: Regularly check your transaction history for any suspicious activity.
    • Update Software: Keep your device’s software and apps updated to protect against vulnerabilities.
    • Secure Your Device: Use strong passwords and biometric locks on your device.

By leveraging the advanced security features offered by Samsung Pay or Google Pay, coupled with vigilant usage practices, you can enhance your financial safety beyond what traditional credit cards offer. (10/25/2024)

Securing Your Family’s Online Activities

Protect Your Loved Ones Online

In today’s digital age, ensuring your family’s online safety is crucial, whether we’re talking about kids, spouses, parents, or even grandparents. Here are some key practices:

  1. Educate About Threats: Discuss common online threats like phishing, malware, and scams with your family members. Awareness is the first line of defense.
  2. Use Strong Passwords: Encourage everyone to use strong, unique passwords for different accounts and enable multi-factor authentication.
  3. Install Security Software: Make sure all devices have updated antivirus software and firewalls enabled to block malicious activities.
  4. Monitor Online Activity: Keep an eye on your children’s internet usage and set up parental controls to restrict access to inappropriate content. If grandparents aren’t tech savvy, offer to monitor their banking information online and set up alerts for unauthorized activity.
  5. Secure Home Network: Ensure your Wi-Fi network is protected with a strong password and consider using a VPN for added security.

By adopting these practices, you can create a safer online environment for your family. (10/18/2024)

Protect Yourself Against Online Shopping Scams

Shop Smart, Stay Safe

Online shopping offers convenience but can also expose you to scams. Follow these guidelines to protect yourself:

  1. Use Trusted Websites: Shop only on reputable websites. Look for URLs starting with "https://" and check for secure payment options.
  2. Beware of Too-Good-to-Be-True Deals: If an offer seems too good to be true, it probably is. Verify the legitimacy of deals before making a purchase.
  3. Monitor Bank Statements: Regularly review your bank and credit card statements for unauthorized transactions, especially after online purchases.
  4. Protect Personal Information: Never share unnecessary personal information, like Social Security numbers, when shopping online.

By staying vigilant and cautious, you can enjoy the benefits of online shopping while avoiding scams.

Do you learn more by watching a video?  Watch this short 1:35-minute deeper dive into online shopping scams. (10/11/2024)

Reevaluate the Need for Location Services

Location services can be useful for navigation and certain apps, but enabling them unnecessarily poses significant privacy and security risks. Here are some key reasons to reconsider your use of location services:

    1. Privacy Concerns: Constantly sharing your location can expose sensitive information about your daily habits and routines, potentially leading to unwanted tracking or surveillance.
    2. Data Exposure: Applications that access your location data may share this information with third parties, increasing the risk of data breaches or misuse.
    3. Battery Drain: Continuous use of GPS and other location-tracking features can significantly drain your device’s battery life.
    4. Targeted Attacks: Cybercriminals can exploit location data to tailor phishing attacks or physical threats based on your whereabouts.

Best Practices:

    • Review Permissions: Regularly check which apps have access to your location and disable it for those that do not need it.
    • Use ‘While Using the App’ Setting: For essential apps, choose the option to allow location access only while using the app, rather than all the time.
    • Disable Location Services When Not Needed: Turn off location services when they are not required to limit exposure.

By taking these steps, you can enhance both your privacy and security while using digital devices. (10/04/2024)

Protect Yourself from QR Code Scams

QR codes are convenient but can also be exploited by scammers to steal your personal information or install malicious software. Here’s how to protect yourself:

  1. Be Cautious with Unknown Sources: Only scan QR codes from trusted and verified sources. Avoid scanning codes found in unsolicited emails, random flyers, or suspicious websites.
  2. Check the URL: After scanning a QR code, verify the URL before proceeding. Look out for typos or unfamiliar domain names that could indicate a phishing attempt.
  3. Use a QR Scanner with Security Features: Some QR scanner apps provide security features that can alert you to potentially malicious links.
  4. Avoid Entering Personal Information: Be wary if a scanned QR code directs you to a site asking for sensitive information such as passwords or credit card details.
  5. Update Your Device Software: Ensure your device’s operating system and security software are up-to-date to defend against vulnerabilities.

By following these steps, you can enjoy the convenience of QR codes while keeping your personal information secure. (09/27/2024)

Staying Safe Online – It’s Not Just About Your Password

You might think you’re safe behind your home Wi-Fi, but the truth is, no one is completely immune to online threats. Even with the strongest security measures, there’s always a risk of someone eavesdropping on your internet traffic.

Here are some tips to help you stay protected:

  • Beware of Phishing: Be cautious of emails, texts, or social media messages asking for personal information. These could be phishing scams designed to steal your data.
  • Check for the legitimacy of websites: Scammers will impersonate websites and URLs in an attempt to look valid. “uthsc.edu” is legit, “utshc.com” is not.
  • Strong Passwords Are a Must: Use strong, unique passwords for all your online accounts. Avoid using easy-to-guess information like your birthday or pet’s name.
  • Keep Your Software Updated: Regularly update your operating system, web browser, and other software to patch security vulnerabilities.
  • Be Careful What You Share: Avoid sharing personal information online, especially on public Wi-Fi networks.
  • Monitor Your Accounts: Regularly check your bank statements, credit card bills, and online accounts for any suspicious activity.

Remember, online security is an ongoing battle. By following these tips, you can significantly reduce your risk of falling victim to cyberattacks. (09/20/2024)

Exercise Caution When Selecting Apps

While numerous applications are designed to simplify daily tasks, it is essential to exercise caution when selecting which ones to use, particularly for UT Health Science Center business. Many free applications lack the necessary security controls required for handling specific data classification levels. As with social media applications, security considerations must be a primary factor in your decision-making process when choosing any application. (09/13/2024)

How to Freeze Your Credit

Freezing your credit is a crucial step to protect yourself from identity theft and unauthorized access to your credit report. Here’s a step-by-step guide on how to freeze your credit with the three major credit bureaus: Equifax, Experian, and TransUnion.

Steps to Freeze Your Credit

  1. Gather Necessary InformationFull Name
    • Social Security Number
    • Date of Birth
    • Address History
    • Copies of Identification (Driver’s License, Passport)
    • Proof of Address (Utility Bill, Bank Statement)
  2. Contact Each Credit Bureau

You will need to contact each of the three major credit bureaus individually to place a freeze on your credit.

How to Contact the Bureaus
Equifax

    • Online: Equifax Credit Freeze
    • Phone: 1-800-349-9960
    • Mail: Send a request including all necessary information to:Equifax Security Freeze 2 P.O. Box 105788 3 Atlanta, GA 30348-5788

Experian

    • Online: Experian Credit Freeze
    • Phone: 1-888-397-3742
    • Mail: Send a request including all necessary information to:Experian Security Freeze 2 P.O. Box 9554 3 Allen, TX 75013

TransUnion

    • Online: TransUnion Credit Freeze
    • Phone: 1-888-909-8872
    • Mail: Send a request including all necessary information to:TransUnion LLC 2 P.O. Box 2000 3 Chester, PA 19016

Follow Instructions Provided by Each Bureau

    • Each bureau will provide specific instructions for completing the freeze.
    • You may be required to create an account or PIN for future access.

Confirmation of Credit Freeze

    • After processing your request, each bureau will send you confirmation that your credit has been frozen.
    • Keep these confirmations and any PINs or passwords in a safe place; you’ll need them if you want to unfreeze your credit later.

Important Notes

    • A credit freeze does not affect your credit score.
    • It prevents new creditors from accessing your report but does not prevent you from obtaining your free annual credit report.
    • If you need to apply for new credit or allow an entity temporary access, you can temporarily lift the freeze using the provided PIN or password.

By following these steps, you can effectively freeze your credit and add an extra layer of protection against identity theft and fraud.  (09/06/2024)

Why You Might Need to Freeze Your Credit

Freezing your credit is a prudent step in several situations to safeguard against identity theft and unauthorized access. These situations include:

  • After Identity Theft: If you suspect that your personal information has been compromised or you've been a victim of identity theft, freezing your credit can prevent further fraudulent activities
  • Data Breaches: In the event of large-scale data breaches involving companies or financial institutions where your information might have been exposed, freezing your credit can help protect you from potential misuse.
  • Lost or Stolen Information: If important documents like your Social Security card, driver's license, or any other identifying information are lost or stolen, it's wise to freeze your credit immediately.
  • Unusual Activity: Noticing unusual activity on your existing accounts, such as unfamiliar charges or inquiries, could be a sign of attempted fraud. Freezing your credit adds an extra layer of protection while you investigate.
  • Proactive Protection: For those who want to take a preventive measure against potential identity theft, especially if they rarely apply for new credit accounts or loans, freezing their credit provides long-term security.
  • Planning Major Life Events: If the bad actors know you are getting married or buying a new home, you become a larger target. 

Remember that once you freeze your credit, you'll need to temporarily lift the freeze if you plan on applying for new lines of credit, loans, or services that require a credit check. (08/30/2024)

Don’t Put Passwords on Sticky Notes!

While it may seem convenient to place passwords in easily accessible locations, such as hiding a sticky note under your keyboard, this practice does not adequately mitigate the risk of someone finding and using that password. To enhance security, consider utilizing password managers, which are available in both free and paid versions. These tools can securely store and manage all your passwords in one safe location, eliminating the need for insecure sticky notes.

UT does not endorse a specific password manager. Myself and family members have used LastPass, Dashlane, and Keeper.  If you want to start your own research into a reliable password manager for yourself or family members, you can start with this Cybernews article. (08/23/2024)

Don’t Just Throw the Old Phone Away

Getting a new phone is exciting. Transferring pictures, data, and apps can be time-consuming and a little frustrating. However, don’t spend all your time on the new device. Your old one needs some attention too. You need to remove all of that personal information from that device before you get rid of it.

Before you say goodbye to your old phone, follow these steps:

  • Back It Up: Copy all the important stuff – photos, contacts, and messages – to your computer or a cloud storage service. This way, you won’t lose anything precious.
  • Delete, Delete, Delete: Go through your phone and delete anything you don’t want to keep. This includes apps, photos, messages, and anything else that might contain personal information.
  • Factory Reset: The final step is to perform a factory reset. This wipes your phone clean, removing all your data and settings.

By following these steps, you’re making sure that your personal information stays private. Don’t let your old phone become a security risk! (08/16/2024)

Scams, Scams, and More Scams

Phishing, a form of social engineering using email, is a prevalent way bad actors try to steal credentials and other sensitive information from unsuspecting recipients. Be cautious of every email, and visit the Office of Cybersecurity’s Phishing webpage and Email Phishing page for information on how to spot these scams. 

What we’ve seen in campus emails are “urgent” scams telling you that you have 24 hours to change your password or be locked out of an account, gift card scams pretending to be from college deans or department heads, and too-good-to-be-true part-time job opportunities. 

Outside of UTHSC, you might encounter tech support scams, especially wanting to help “fix” the recent Crowdstrike/Windows outage, scams surrounding the Paris Olympics, and requests for aid to “help” those impacted by Hurricane Debby. 

Report any suspicious email or other communication to abuse@uthsc.edu for examination. We’ll let you know if it is indeed a phish, or a legitimate email.  (08/09/2024)

Watch Out for Email Autocomplete

Ever noticed how when you start typing an email address, your email app jumps in to finish the job? Handy, right? But watch out—this nifty shortcut can sometimes set you up for a whoops moment. Like when you’re emailing something sensitive and oops… it ends up going to the wrong person because your email thought it knew better. Talk about an “Oh no” moment! Always stay vigilant with emails and make sure they are going to their intended audience! (08/02/2024)

What To Do If/When Your Identity is Stolen

Identity theft is a serious crime that wreaks havoc on your finances and credit. You notice purchases you didn’t make on your bank statement. You are denied credit and you don’t know why. If it hasn’t happened to you (yet), you probably know someone who has been victimized by this crime. The Office of Victims of Crime has a full article explaining these steps. 

  • Place a fraud alert on your credit report
  • Close out accounts that have been tampered with or opened fraudulently
  • Report the identity theft to the Federal Trade Commission (FTC)
  • File a report with local law enforcement

Because this is a crime, make sure to log all conversations and confirm these conversations in writing.  (07/26/2024

Cybersecurity Warning about Amazon Prime Days

Amazon Prime Day is this week, and there are plenty of deals for you to take advantage of. However, cybercriminals are also looking to turn these deals to their advantage. In this particular scam, cybercriminals have created fake websites that look very similar to the real Amazon website. Then, they send you phishing emails and text messages that contain links to the fake websites they created.

The phishing emails and messages will sound alarming to try to trick you into clicking impulsively. They may say that there’s an urgent problem, that your account has been suspended, or that your payment details need to be updated. They will usually threaten to delete your account if the problem isn’t addressed soon. If you click the link in the email or message, you’ll be directed to a fake website. If you enter your login credentials or payment information, that data will be sent directly to the cybercriminals.

Follow these tips to avoid falling victim to an Amazon Prime Day scam:

  • Check the URL of a website very carefully before entering any information. The URL may look very similar to the legitimate Amazon web page but will have subtle differences.
  • Be cautious of unexpected emails or text messages, especially if they instruct you to click a link. If you suspect that there may be a problem with your Amazon account, it’s safer to navigate directly to Amazon’s website instead.

If a deal seems too good to be true, it probably is. Be very skeptical of unrealistic deals and suspicious offers. (07/17/2024)

Make Your Vacation Cybersecure

Summer months are ideal travel times for vacations. If you are planning a trip before the fall semester starts, here are some tips in some cybersecurity areas you may not have thought about.

Mobile Devices - avoid overpacking. Only bring the mobile devices you need when going on vacation. This includes laptops, tablets, smartwatches, eReaders, and portable gaming devices. The fewer you bring, the fewer that can get lost or stolen. For those you do bring, make sure the operating system and apps are up-to-date and are screen-locked. 

Public Wi-Fi Connections and Public Computers - be cautious! These public hot spots are not as secure as you might think and you never know who is watching your activities online. 

Social Media - avoid oversharing when traveling, as you don't always know who is reading your posts. Consider waiting to share your adventures until you get home. 

Customs and Local Laws - check the laws of the country you are visiting if going abroad, and even state laws if you stay in the U.S. Legal rights vary, especially from country to country. What may be tolerated at home may be illegal in another country. 

Vacation should be a time for relaxing, exploring, and having fun. These simple steps will help ensure you do so safely and securely. (07/12/2024)

Don’t Share Your Passwords!

We talk about passwords a lot. Create strong passwords. Use upper- and lower-case letters, numbers, and symbols. Use a password manager. But the easiest way to unsecure your password is to share it. Realize that if you share your password with someone else (family member, coworker, etc.) they have access to EVERYTHING in that account. If a department needs shared information, create a SharePoint site. Use Google Drive or another similar sharing app if your family needs shared information. There are many ways to share information that is much more secure than password-sharing.  (07/05/2024)

Don’t Fall for Misinformation

Misinformation, inaccurate or false information, is used by scammers targeting social media. The idea is to make you (and everyone you share that information with) believe something that is potentially untrue. The general rule is to check and corroborate the source with reputable sources.   (06/28/2024)

Make Sure Your Smart Devices Stay Secure

We love our smart devices – thermostats that learn our habits, refrigerators that order groceries – but with all that convenience comes a little responsibility: security. Here’s the thing: smart tech relies on data, and that data needs protection.

Imagine your smart devices are like chatty friends, constantly exchanging information to get things done. While that’s how they work, it also means there’s a chance for someone to eavesdrop and steal your data.

So, how do we keep our smart devices secure? Here are a few tips:

  • Security Basics Still Apply: Even though they’re fancy, smartphones, laptops, and printers are still vulnerable to traditional security threats. Keep your software up-to-date, use strong passwords, and be careful about what information you share on these devices.
  • Wireless Wisdom: Many smart devices connect over Wi-Fi. Make sure your Wi-Fi network is secure with a strong password and encryption. Think of it like a secret handshake – only authorized devices get to join the party!
  • Read the Manual (Yes, Really!): Device manuals are full of useful information, including security settings you might not know about. Take some time to explore them – your future self will thank you!

By following these simple tips, you can transform your smart tech from a potential security risk into a safe and reliable companion. (06/21/2024)

Social Engineering Attacks Can Come In the Mail

Social engineering scams can come through any communication channel (e.g., email. texting, phone calls, social media, etc.). They can even come in the mail. Think of the flyers you might have received with too-good-to-be-true offers. Another recently reported mail scam is a fake refund check.

The scam has the recipient receiving a refund check supposedly from American Express. The instructions tell the person to deposit the check, then transfer some portion of it to someone else for some made-up reason, such as taxes or a handling fee. 

The check is fake, but legitimate-looking, so the bank won’t catch it until they verify it a few days later. By then, the money transfer is long gone, and the depositor is out that amount. 

Be suspicious of any unexpected communication, and verify the origin of that correspondence before acting on it. (06/14/2024)

Email Bombing

Email bombing is the malicious act of sending a large number of emails to overwhelm and disrupt an individual’s or organization’s email account. We have seen this on campus where people have been bombarded with hundreds of emails every minute. It strains resources campus-wide and makes it impossible for people to access legitimate emails. 

How can you fight against it?

  • Be selective when subscribing to newsletters or online services. Make a separate email account for just these instances so you don’t use your business or a personal account used by friends and family. 
  • Be cautious about sharing your email address publicly on websites, forums, or social media platforms. (See bullet #1)
  • Avoid opening emails from unknown senders that appear suspicious. 

While receiving some spam emails is normal, receiving hundreds or thousands in a short time is “email bombing”. If this happens to your UT Health Science Center account, contact the ITS Service Desk immediately at 901.448.2222. (06/07/2024)

Spotting and Stopping Phishing Attacks

Social engineering attacks, most commonly known as phishing, are delivered in many different ways. Phishing = emails. Smishing = text messaging. Vishing = voice scams or phone calls. No matter the delivery, there are common clues you can spot.

  • Urgency: Any message that creates a tremendous sense of urgency in which attackers are trying to rush you into taking quick action and making a mistake. An example is a message claiming to be from the government, stating your taxes are overdue and if you don’t pay right away you will end up in jail.
  • Pressure: Any message that pressures an employee to ignore or bypass company security policies and procedures.
  • Curiosity: Any message that generates a tremendous amount of curiosity or seems too good to be true, such as an undelivered UPS package or a notice that you are receiving an Amazon refund.
  • Tone: Any message that appears to be coming from someone you know such as a coworker, but the wording does not sound like them, or the overall tone or signature is wrong.
  • Sensitive Information: Any message requesting highly sensitive information, such as your password or credit card.
  • Generic: A message coming from a trusted organization but using a generic salutation such as “Dear Customer”. If Amazon has a package for you or your phone service has a billing issue, they know your name.
  • Personal Email Address: Any email that appears to come from a legitimate organization, vendor, or co-worker, but is using a personal email address like @gmail.com or @hotmail.com.

By looking for these common clues you can go a long way toward protecting yourself. Any suspicious UT Health Science Center communication should be forwarded to abuse@uthsc.edu for examination so we can block the attack. (05/31/2024)

Ticketing Scams for Live Events

Even before news broke that the DOJ was suing Live Nation, the parent company of TicketMaster, cautions were announced about purchasing tickets for live events this summer. Scammers have used bogus ticketing sites to lure people with “too good to be true” scams, offering tickets to popular events at discounted prices.

It can start with a phishing email or even a fake social media post to get the attention of people wanting to attend a concert, sporting event, or even the Olympics in Paris this summer. The simple offer is for discounted tickets to the event that is too good to pass up. 

Fraudsters are now using news of the lawsuit “buzz” against TicketMaster and Live Nation as another slant to the scheme. 

Double-check the source for any purchase. Think this this can’t happen to you? It did, to someone in ITS, who purchased tickets for a much-anticipated concert and didn’t realize they were fake until they couldn’t get in.  (05/24/2024)

Do NOT Accept a DUO Push if You Don’t Initiate It

DUO Fatigue, or MFA (multi-factor authentication) fatigue occurs when you’ve gotten so used to hitting “Accept” when a push comes through, you do it automatically even if you don’t initiate the push. It also occurs when you are bombarded with push notifications and you just want it to stop, so you finally accept it. Both scenarios are usually bad actors who already have your compromised credentials and need to get through that final layer of protection to get to your information. 

Our campus and other UT campuses have seen a rise in these attacks, so BE CAUTIOUS in accepting DUO pushes.

For the past few months, we have seen a rise in attacks targeting people’s direct deposit information for payroll. Here is what happens:

  1. Credentials are stolen, sometimes by guessing weak passwords or through a phishing attack.
  2. The bad actors log in, which initiates a DUO push to the user. Either because of continual pushes or because the user is not paying attention, they accept the push, letting the bad actors in.
  3. The bad actors then add their own device to DUO so going forward, they will get push notifications instead of the legitimate UT person.
  4. The bad actors get into the email account of the UT person and make a forwarding rule so any communication they initiate is forwarded to them and the UT person never sees it. 
  5. And then they hit where it hurts the most. They change to banking information for that person’s direct deposit for payroll, so that hard-earned money goes to the bad actor’s account. Since all email notifications about the change are forwarded to the bad actors, the UT person doesn’t know until they don’t get the money in their account. 

All because they accepted a DUO Push they didn’t ask for. This isn’t a fake scenario to scare you. This has happened to multiple people in our community. 

DO NOT ACCEPT A DUO PUSH UNLESS YOU START THE REQUEST! Reject the push. If you start to get constant push notifications, contact the ITS Service Desk (901.448.2222) and let us know you might be under attack. (05/17/2024)

Smishing – Text Messaging Scams

Cybercriminals often use text messages to try and trick you into clicking on malicious links, a method known as “Smishing.” Recent reported scams include sending a fake text message that says a package is unable to be delivered to you. The text contains a link, but it may not be clickable. A security feature on many smartphones automatically disables links in unexpected messages. So, the cybercriminals will instruct you on how to bypass the feature. The message says to copy and paste the link into your browser to open it. There is a sense of urgency to the message, saying you must use the link to confirm your delivery information in 12 hours to receive your package.

If you follow the instructions and open the link, you will be taken to a web page that appears to belong to the package carrier. You will be asked to enter your personal or financial information on the website. However, the website is fake, so entering your personal details will allow cybercriminals to steal this information. 

Follow these tips to avoid falling victim to a smishing scam:

  • In this case, the instructions ask you to paste the link into your browser in order to open it. Be aware of unusual instructions in a text message. The message also instructs you to take action quickly. Cybercriminals frequently use this technique to try and trick you into acting impulsively.
  • It is suspicious to receive a text message for a package delivery if you are not expecting a package. Always ask yourself if the message is expected.
  • Do not tap on links in an unexpected message. It’s always safer to navigate to the official website in your web browser.  (05/10/2024)

World Password Day!

World Password Day is always the first Thursday of May, which this year was yesterday, May 2. It is a good reminder to make sure your passwords are strong and well-protected. Visit our Passwords webpage for a few tips on password maintenance. If any of your passwords are “password”, “123456” or “password123” CHANGE THEM! (05/03/2024)

AI Use in Phishing Emails

With the advent of generative natural language models like ChatGPT, also known as artificial intelligence or AI, scammers can create increasingly convincing phishing emails. AI-generated messages can be produced more quickly and with far fewer grammar and spelling mistakes. To make matters worse, phishers can use personal information to send spear-phishing emails – phishing attempts targeted at a particular individual – that are much harder to distinguish from non-phishing emails. The silver lining is that AI only improves the effectiveness of the main body of the email; scammers will still have to resort to the usual tactics of sending from suspicious email addresses, scaring recipients with an urgent tone, and including malicious links. As always, double-check the addresses of urgent messages and avoid clicking links unless you are certain the sender is safe. Forward any suspicious communications to abuse@uthsc.edu for examination.  (04/26/2024)

How to Deal with Unwanted Emails

The most direct and effective way to handle unwanted emails is to block the sender. To block a sender using Outlook’s Web Application, click on the three dots at the top right of the unwanted email, hover over the “Block” tab with the cursor, and select “Block (sender name)” from the list of options. Blocked senders will be added to a block list, and any future emails sent will be placed in the “Junk Email” folder. This approach is best used against spam emails.

If you are using Outlook’s Desktop Application, in the top toolbar, in the Delete section, click Junk (the icon looks like a person with a red circle on it), then Block Sender. 

More malicious emails warrant further action, especially if they target UTHSC employees and students. Phishing emails can typically be identified by a mismatched email address and name, urgent language, and suspicious links or requests for personal information. If you suspect an email may be a phishing attempt, please report it to abuse@uthsc.edu

For personal accounts, such as Gmail or Yahoo, a simple Google search will guide you on how to block senders in their platforms. (04/19/2024)

Spring Cleaning

Spending time each month or quarter to ensure your computer works to the best of its ability reduces risk and mitigates damage from cyberattacks and crashes. Here are some important tasks to consider for your next Spring Cleaning:

    • Uninstall unused applications. This will free up disk space and prevent attacks exploiting older software.
    • Update software and drivers. Software can typically be updated within the application or with a third-party updater. Drivers are typically updated alongside system updates.
    • Backup data. Making back-ups frequently minimizes the amount of data loss from a crash or security incident.
    • Clean hardware. A buildup of dust on internal components, especially fans, can lead to performance issues. Be sure to consult your computer’s user manual for information on how to safely clean hardware components.
    • For UT Health Science Center devices, keep them powered on periodically to receive updates on time. (04/12/2024)

Watch Out for Tax Scams this April

With the deadline for filing a tax return approaching on the 15th, scammers are eager to capitalize on taxpayers’ urgency. In a recent campaign, scammers emailed a link to a phony website pretending to be the receiver’s tax returns. The site uses a blurred “spreadsheet” and official IRS images to bait the recipient into clicking a “download documents” button that downloads malware and allows the user to enter confidential information. To avoid tax scams like these, always double-check the sender’s email address, avoid clicking links on unverified emails, and never share sensitive data via email. The IRS will never initiate a request for financial and personal information over email, phone calls, text messages, or social media messages!

This is just one example of the tax scams that run rampant during this season. Protect yourself, your personal information, and your possible refund! (04/05/2024)

Prepare for Crashes with Data Backups

Computer crashes pose a serious risk of data corruption or loss, depending on the severity of the crash. Data can also become compromised by malware or ransomware attacks. To counter these risks, it is important to maintain backups of all your data. Keeping multiple backups across a variety of storage methods is key to maximizing recoverability. Examples of data storage methods include external hard drives like HDDs or SSDs, USB flash drives, optical media like CDs and DVDs, and cloud storage services. Keeping backups both on and off-site can further reduce the risk of multiple backups being destroyed or corrupted at once. (03/22/2024)

A Reminder About Gift Card Scams on Campus

This week's tip reminds everyone about gift card scams, especially those we've seen on campus. No Chancellor, Vice Chancellor, Dean or department head will ever ask you to purchase gift cards for them. If you receive an email that looks like it is coming from your supervisor in this scenario, their name has been spoofed, meaning the display name for that email account is using someone on campus, but the actual email address is not a @uthsc.edu one.

People reported to abuse@uthsc.edu many different variations of these scams. The sender asks if you are available to do a favor. They usually state that it has to be done urgently (red flag), and they are not available to communicate because they are at a conference or headed to a meeting. They may ask for a cell number to continue the conversation outside our UT Health Science email, so we can't block it. 

Stop. Take a breath. Think. This is outside normal behavior, so always be suspicious. Does your supervisor have your cell number already, so they should be asking for it? Verify the actual email address instead of just the displayed name. Most often, these come from Gmail accounts. 

Report any suspicious emails, or other correspondence, to abuse@uthsc.edu. The Office of Cybersecurity will be happy to verify any email. If you report a phish to use quickly, we can take action to minimize the impact to the university. (03/15/2024)

Ransomware – How Does It Get In?

Ransomware, that digital bully holding your files hostage, can strike in different ways.

  • Phishing Emails: Imagine getting an email that looks like it’s from your bank, friend, or even a famous company. It might urge you to click a link or open an attachment. Don’t fall for it. These emails are like traps, designed to infect your device with ransomware.
  • Drive-by Downloads: Ever visit a website and suddenly things feel…off? That might be a “drive-by download” happening in the background, installing ransomware without your knowledge. It’s like a sneaky thief slipping malware onto your device while you’re distracted.

Both methods rely on tricking you. Be cautious of suspicious emails and avoid clicking on unknown links or opening attachments from untrusted sources.

Bonus cybersecurity tip: Keep your software updated and use a reputable antivirus program. These tools are like bodyguards, helping to identify and block potential threats before they harm your device. For your UTHSC devices, make sure CarbonBlack is installed.  If you need assistance, contact our ITS Service Desk via Techconnect.  (03/08/2024)

How to Disable Wi-Fi Auto-Connect and Bluetooth

If you have used a public network, your phone will likely attempt to reconnect to that network the next time you go to that public space. By connecting to these open networks without notifying you, your phone can run the risk of allowing outside interference and surveillance. Similarly, leaving Bluetooth enabled on your device when not needed increases your visibility and allows unknown devices to connect to yours without permission, even when on separate networks. Here’s how you can disable these settings on iPhone and Android devices:

iPhone:

  • To disable wi-fi auto-connect, go to Settings > Wi-Fi.
  • Find the public network and tap the adjacent ‘i’ icon with a circle.
  • Tap “Auto-Join” to disable it for that network.
  • To disable Bluetooth, go to Settings > Bluetooth.
  • Tap “Bluetooth” to disable it.

Android:

  • To disable wi-fi auto-connect, go to Settings > Connections > Wi-Fi.
  • Find the public network and tap its gear icon.
  • Tap “Auto reconnect” to disable it for that network.
  • To disable Bluetooth, go to Settings > Connections.
  • Tap “Bluetooth” to disable it. 

(03/01/2024)

Dangers of Using Public Wi-Fi

Public networks are risky because anyone can enter the network with little to no authorization. Malicious actors can take advantage of poor network security by prying on user activity, collecting confidential information, or redirecting users to unsecured webpages. If you must use public wi-fi, use a VPN and stick to websites beginning with “https.” Avoid sharing highly valuable data like credit card information, banking details, or social security numbers (SSN) while on a public network!

Some hackers set up an impostor network posing as a legitimate public network, or even brute force their way into an administrative account on a poorly secured router. Either way, these networks are completely unsafe regardless of the user’s security measures, so they should be avoided no matter what!

As a rule of thumb, use public wi-fi only as a last resort. If an urgent matter requires Internet access, consider using wireless data instead. (02/23/2024)

Downloading Unapproved Software

Be cautious about downloading third-party antivirus applications and software. Many times, when you download a new application, the manufacturer “bundles” other downloads with it. A lot of the time, unless you uncheck some boxes, they automatically download. This disrupts our CarbonBlack and sends alerts for unauthorized software.

Be cautious of downloading ANY software or applications that can harm your device and our network. (02/16/2024)

Phishing Emails You Need to Recognize

It is not uncommon to receive phishing emails. We’ve talked about them in the past, but this week’s tip is a list of the most common phishing subject lines you need to look out for. By no means do we say these are the ONLY phishes out there, but read more for the list and see if you’ve gotten any, whether in your UTHSC email or your personal accounts. If you receive anything suspicious in your UTHSC email, forward it to abuse@uthsc.edu for examination.

  1. Action Required 
  2. Part-time job opportunity
  3. Account Verification
  4. Are you available?
  5. Renewal plan successful (Your invoice has been paid)
  6. Billing information is out of date
  7. Payroll has been delayed
  8. Your meeting attendees are waiting
  9. Voicemail received
  10. Be suspicious of any emails that you are not expecting. The bad actors are getting good at presenting these phishes to get your attention.

For more information on phishing, check out our SPAR webpage. (02/09/2024)

Social Media Scams that Shock You

If you are on Facebook, you’ve probably seen a post tagging people you know stating “I can’t believe he is gone. I’m gonna miss him so much.” The post contains a link to a news article or video, but when you click the link, you are taken to a web page that prompts you to log in to Facebook. If you enter your information, you are taken to an unrelated page. No news article exists, but scammers have just stolen your Facebook credentials using a phishing attack. Then they turn around and use those credentials to send that fake post to your family and friends, hoping to get their credentials.

Why? Because people reuse passwords, a stolen password from Facebook can also mean access to banking information or other personal sites. Also, access to your Facebook account will give someone a lot of personal information about you, where you live, who your friends are, and even where you went to high school. That’s a lot of information that is useful in identity theft. 

Follow these tips to avoid falling victim to a Facebook phishing attack:

  • When possible, use multi-factor authentication (MFA) as an added layer of security for your accounts. The MFA will prompt you to provide additional verification before logging in, making it more difficult for scammers to compromise your account.
  • A post from a friend may seem trustworthy, but their account could be compromised. Reach out to your friend over the phone or text to verify that their post was legitimate.

Remember, this type of phishing attack isn’t exclusive to Facebook. Scammers could use this type of attack on any social media platform. (02/02/2024)

Physical Security of Portable Devices

Laptops, phones, and tables hold a lot of our data. Keeping them safe from prying eyes and sticky fingers is as crucial as digital defenses such as antivirus applications and passwords.

A lost or stolen device is an open door to your digital life. Treat your devices like the valuable pieces of equipment they are. Keep laptops in locked drawers or cabinets, especially in shared spaces like offices or dorms. Phones? Pockets and bags with security closures are important. 

Home office? Invest in sturdy desks or lockable cabinets to deter curious hands from wandering towards your equipment. A dedicated shredder for confidential documents adds another layer of protection. 

Traveling? If you don’t have your devices with you, lock them in your hotel room in the in-room safe, or in locked luggage. Don’t leave them lying about where others can find them easily.  (01/26/2024)

Weather Related Scams

You’ve had an interesting week if you live in Tennessee (or Mississippi or Arkansas). Have you had someone stating they are a contractor contact you offering services like fixing pipes, clearing driveways, or trimming trees? Scammers know weather-related issues are a feeding ground for people needing to make quick decisions to fix problems. Verify anyone offering a service to you to ensure they are a reputable company. Posting your troubles on social media makes you a target for these bad actors looking for susceptible people in need. (01/19/2024)

Phishing is Still a Large Attack Vector

UTHSC received a huge amount of phishing emails in December 2023, about 500% more than normal. Only 3.5% made it to peoples’ inboxes, but we are a target. You must stay aware of how the scammers are trying to get in to safeguard your devices, whether UTHSC-owned or personally owned. General rules – 1) be wary of unsolicited emails, especially those requesting sensitive information or urgent action, 2) verify the legitimacy of emails by checking the sender’s address, and 3) avoid clicking on suspicious links. (01/12/2024)

“Tech Support” calls – Hang up!

Ever get a call from someone claiming to be tech support, urgently needing your password to “fix” a problem? Beware! This is a classic phishing scam aimed at stealing your login credentials. the UTHSC ITS Service Desk, along with any other reputable tech support (from your bank, computer manufacturer, Microsoft, etc.), will never ask for your password over the phone.

Here’s the deal:

  • If it sounds fishy, it probably is. Legitimate tech support won’t call you out of the blue and demand personal information. If you’re unsure, hang up and contact the company directly using known numbers or websites.
  • Reset passwords yourself. Most websites offer secure password reset options through email or verification codes. No need to involve unknown callers over the phone.
  • Protect your logins fiercely. Treat your passwords like keys to your digital kingdom. Never share them with anyone, including “tech support,” no matter how convincing they sound.

Remember, a little caution can go a long way. By hanging up on suspicious calls and safeguarding your passwords, you can prevent these scammers from cracking into your online accounts.  (01/05/2024)

2023

How Phishing has Evolved

You’ve been taught how to spot a phish. You’ve probably seen enough of them in your inbox that you are pretty confident one won’t get past you. You are suspicious (which is a good thing). But cybercriminals are getting better at delivering credible communications.

With phishing and social engineering in general, these scammers are looking beyond using just emails:

  • Phishing campaigns are now multi-channel attacks that have multiple stages. In addition to emails, cybercriminals are using texts and voicemail to direct victims to malicious websites and then using a follow-up phone call to continue the ruse.
  • Scammers are actively targeting mobile devices. Credentials can be compromised because users can be fooled by social engineering tactics across different apps. Half of all personal devices were exposed to a phishing attack every quarter of 2022.
  • AI has become a factor. AI is being used to make phishing content more credible and to widen the scope of attacks. Using victim research data, AI can create personal phishing messages and then refine those messages to add a veneer of legitimacy to get better results.

Bottom line? Stay suspicious. Use a second means of verifying information. For example, don’t reply to an email, or use contact information listed in the email or text. Go to an organization’s webpage to get contact information. 

The Office of Cybersecurity can help you examine suspicious communications, even texts and voicemails. Forward all information to abuse@uthsc.edu. We’ll let you know if it is legitimate or a scam. (12/20/2023)

Misinformation versus Disinformation

You’ve probably heard the terms misinformation and disinformation bantered about when talking about social media or the news. Although the terms are often used interchangeably, they are distinct. Misinformation is simply false or inaccurate information. Disinformation is false or misleading information deliberately used to deceive and spread fear and suspicion.

Social engineers use both misinformation and disinformation to get recipients to react in a certain way, usually to give out personal information that can be used to steal identities. Be cautious about responding to any post. Use multiple means to separate fact from fiction. (12/08/2023)

Educate your family and/or team on the importance of cybersecurity

Oftentimes, cybercriminals gain access through in-house negligence — hence, awareness is key. Teach those who hold sensitive information to recognize suspicious links, the role of strong password measures, and regular software updates, among other relevant factors. Notably, a strong defense starts with educated vigilance.

Here are some tips for educating your family or team on cybersecurity:

      • Explain the different types of cyberattacks and how they can affect them
      • Teach them how to recognize suspicious emails, links, and attachments.
      • Help them create strong passwords and enable two-factor authentication on all of their accounts.
      • Explain the importance of keeping their software up to date.
      • Talk to them about the risks of using public Wi-Fi and public charging stations.
      • Encourage them to report any suspicious activity to you immediately.
      • By educating your family and team on cybersecurity, you can help protect them from cyberattacks.

If you need assistance or a deeper explanation of any of these topics, contact the Office of Cybersecurity at itsecurity@uthsc.edu or use TechConnect to contact the team. (12/01/2023)

Holiday Scams Update

If you missed the tip of the week last week, you were not alone! We want to update everyone on the types of scams you will encounter this holiday season, so we updated our Holiday Scams page for up-to-date information. #BeCyberSafe (11/27/2023)

Strong Passwords are Your Best Friends

You can buy a small padlock for less than a dollar—but you shouldn’t count on it to protect anything of value. A thief could probably pick a cheap lock without much effort, or simply break it. And yet, many people use similarly flimsy passwords to “lock up” their most valuable assets, including money and confidential information. Check out the SPAR (Security Preparedness and Response) Passwords page for an explanation of why strong, unique passwords matter, along with some graphics and videos if you don’t like to read a lot of words. #BeCyberSafe (11/17/2023)

How Many Email Addresses Should a Person Have?

If you answered 3 or 4, you'd be right on the recommended average.

Think about the categories of how you communicate through email.

  1. Work/School - your UTHSC email address that should be only used for UTHSC correspondence. (You might want to review the Email standard for the permitted use of UTHSC email accounts.)
  2. Personal - Family, friends, relatives, personal social network accounts, house electricity bills, house properly tax notifications, etc.
  3. Spam - newsletters, and notifications from various websites, used when you have to enter an email address knowing it will probably be sold to others.
  4. Bank - if you have given your personal or work email addresses to too many people, using a separate email for your most sensitive accounts protects them from being part of a data breach. (11/10/2023)

Pay securely with Apple Pay, Google Pay, and Samsung Pay

Mobile payment services like Apple Pay, Google Pay, and Samsung Pay are a safe and convenient way to pay for goods and services. These services allow you to make contactless payments with your smartphone or smartwatch, without having to use your physical credit or debit card.

Here are some tips for using mobile payment services safely:

  • Make sure that your phone or smartwatch is password-protected. This will help to prevent unauthorized access to your mobile payment account.
  • Only use mobile payment services on trusted devices.
  • Be aware of your surroundings when making mobile payments. Avoid making mobile payments in public places where someone could see your PIN or password.
  • Monitor your mobile payment account transactions regularly for any suspicious activity. (11/03/2023)

Avoid public charging when out and about

Many establishments like airports have charging stations with USB plugs that you can use to charge vapes, e-readers, laptops, tablets, and phones. However, threat actors can load malware onto these ports to “juice-jack” — accessing and stealing data from devices being charged. Carry a charged portable power bank with you to charge your devices on the go rather than using these public plugs. (10/27/2023)

Cautious on Information Related to the Israel-Hamas War

The Israel-Hamas war has made headlines worldwide. Cybercriminals often use high-profile news events for disinformation campaigns, which include false information designed to intentionally mislead you. They also use instances like this as well as natural disasters to prey on your emotions for donations that may not be reputable. 

Stay alert in the coming weeks, as cybercriminals are already referencing the war in social media disinformation campaigns. Last week, videos were posted on X, formally known as Twitter, that claimed to be footage of the Israel-Hamas war. These videos were actually from video games and fireworks celebrations, but they still went viral.  Cybercriminals can use disinformation like this to try to catch your attention and manipulate your emotions. Disinformation can be used as a phishing tactic to try to get you to click on suspicious links or open malicious attachments.   

With news also of the need for humanitarian aid, bad actors launch phishing campaigns pretending to be the Red Cross, Unicef, or other charitable organizations to get money or banking information from you. 

Follow the tips below to stay safe from these types of scams:

  • Be suspicious of emails, texts, and social media posts that contain shocking information about this event. 
  • Think before you click. Cyberattacks are designed to catch you off guard and trigger you to click impulsively.
  • Check URLs carefully, or don’t click on email links, but directly type in the URL for the organization if you wish to donate. 


Stay informed by following trusted news sources. If you see a sensational headline, research the news story to verify that it’s legitimate. (10/20/2023)

What is Typosquatting?

Typosquatting attempts to take advantage of typographical errors (i.e. “typos”) when users type URLs directly into the address bar. By capitalizing on user error, cyber threat actors funnel unsuspecting users to illegitimate domains that closely mimic originals. This tactic involves the purchase and registration of domains similar to an existing domain. Typosquatters often target high-traffic and/or sensitive websites to exploit the greatest number of users.

Use caution when looking at links to make sure the URL is EXACTLY what you expect it to be. Also, use caution when typing. The bad actors know what common mistakes are often made. 

Can you spot the difference between citybank.com and citybαnk.com?

(the “a” in bank is another symbol) (10/13/2023)

Talking to Kids about Online Security

Have you ever gotten that eye roll from a 10-year-old when you try to talk to them about cybersecurity? While a lot of kids know a great deal about navigating technology, they still need guidance about safety. A good starting point is comparing being home alone to being online alone (from a parent’s or guardian’s perspective). 

Home alone plan:

  1. Keep a list of emergency contacts
  2. Do not open the door to strangers
  3. Keep doors and windows locked
  4. Don’t answer the phone unless it is us
  5. Don’t climb on the furniture
  6. Mobile alone plan:

Notify us about uncomfortable interactions

  1. Don’t connect with strangers
  2. Use strong passwords and auto-update apps
  3. Don’t answer messages from strangers
  4. Don’t go to sketchy websites

Providing clear guidelines about what kids should or shouldn’t do online will help keep the whole family safe. (10/06/2023)

Learn how to sign out from your Google account on all devices

If you have a Google account, this tip is for you. If you’re concerned about unauthorized access to your Gmail account, due to forgetting to log out from a shared computer or noticing suspicious activity, there’s an easy solution. There is a page that lets you see what devices have activity on the account and how to sign those devices out of the account.

Google support has the full instructions here. But here are the quick steps:

    1. Open Gmail.
    2. In the top right, click your photo.
    3. Click Manage your Google Account.
    4. Click Security.
    5. Under “Your devices,” click Manage all devices.
    6. Choose a device.
    7. Click Sign out.

#BeCyberSafe and know what activity has happened recently. If you don’t know, you can’t protect yourself. (09/29/2023)

Don’t Blame the Victim

“What were you thinking!” – doesn’t help solve a crime. There is often a culture of blaming fraud victims for their predicament even in less obvious cybercrimes, like falling for an aggressive phone scam or clicking on a well-written phishing email. As a society, we have a strong tendency to focus on something the victim didn’t know or didn’t do, rather than focusing on the criminal and the crime.

Instead of looking at people who lose money due to online fraud as gullible marks, first remember that they are victims. At the end of the day, the person at fault is the criminal.  

Please know that, at UTHSC, if you report that you fell for a phish, clicked a link, or gave away your credentials, we won’t blame you. Letting us know as soon as you realize it happened goes greatly to fixing it in a timely manner and securing your information. Remember, it is easier to get a handle on a problem if we know about it 30 minutes after it happened instead of 30 days. Contact the Office of Cybersecurity at abuse@uthsc.edu. (09/22/2023)

A Reminder About Vishing

Vishing, or voice phishing, is using the telephone to conduct phishing attacks. This week, Las Vegas casino organizations, MGM and Caesars both had incidents of cyber attacks. For MGM, how did they get in? - a 10-minute phone call to a help desk searching for credentials. Don't let this happen to you!

We've all gotten the phone calls about extended car warranties or that "free" vacation. But vishing goes far deeper th/an that.  While we are still waiting on confirmation on the exact attack vector for the casinos, it is reported that the hackers looked on LinkedIn to find employees of MGM, and then called the help desk to request assistance in logging in. With stolen credentials, they were in within 10 minutes. 

Think about the calls you get and if they are legit. Most reputable companies, especially banking institutions, will not ask for your username and password. Protect your credentials as if they are actual money because they are highly valuable. (09/15/2023)

Online Security for Kids

Our kids’ lives are online today more than ever, from socializing with friends and gaming, to online learning and education. So how can we help our kids make the most of online technology, safely and securely?

Education and Communication
First and foremost, make sure that you foster good open communications with your children. Far too often, parents get caught up in the technology required to block content or determining which mobile apps are good or bad. Ultimately, keeping kids safe is less about technology and more about behavior and values. A good place to start is to create a list of expectations with your kids. Here are some factors to consider (Note that these rules should evolve as kids get older.):

  • Decide on times when they can or cannot go online for fun, and for how long. For example, you may want to be sure children complete all homework or chores before gaming online or social networking with friends, and limit the amount of time they do spend online each day.
  • Identify the types of websites, mobile apps, and games that they can access online and why they are appropriate or not.
  • Determine what information they can share and with whom. Children often do not realize that what they post online is public, permanent, and accessible to anyone. In addition, anything they share privately with their friends can (and often is) shared with others without them knowing.
  • Identify who they should report problems to, such as strange pop-ups, scary websites, or if someone online is being a bully or creepy. It’s critical that children feel safe talking to a trusted adult.
  • Just like in the real world, teach children to treat others online as they would want to be treated themselves, with respect and dignity.
  • Ensure children understand that people online may not be who they claim to be, and that not all information is accurate or truthful.
  • Define what can be purchased online and by whom, including in-game purchases.

Over time, the better they behave and the more trust they gain, the more flexibility you may want to give them. Once you decide on the rules, post them in the house. Even better, have your kids contribute to the rules and sign the document so that everyone is in full agreement.

The earlier you start talking to your kids about your expectations, the better. Not sure how to start the conversation? Ask them which apps they are using and how they work. Put your child in the role of teacher and have them show you what they are doing online. Consider giving them some “What if…” scenarios to reinforce the positive digital behaviors you’ve discussed or agreed upon. Keeping communication open and active is the best way to help kids stay safe in today’s digital world.

For mobile devices, consider a central charging station somewhere in your house. Before your children go to bed at night, have a specific time when all mobile devices are placed at the charging station so your children are not tempted to use them when they should be sleeping.

Security Technologies and Parental Controls
There are security technologies and parental controls you can use to monitor and help enforce the rules you set. These solutions tend to work best for younger children. Older kids not only need more access to the internet but often use devices that you may not control or cannot monitor, such as school-issued devices, gaming consoles, or devices at a friend’s or relative’s house. In addition, older children can often circumvent purely technological attempts to control them. This is why, ultimately, communication, values, and trust with children are so important.

Leading by Example
Remember to set a good example as parents or guardians. When your kids talk to you, put your own digital device down and give them your full attention. Consider not using digital devices at the dinner table, and never text while driving. Finally, when kids make mistakes, treat each one as an experience to learn from instead of simply punishing them. Make sure they feel safe approaching you when they experience anything uncomfortable or realize they have made a mistake online. (09/08/2023)

Check if Email Addresses Have Appeared in Known Data Breaches

A bad actor can discover your name, location, online accounts, contacts, and even your Social Security Number if your email address is part of a severe breach.  They can use this information to launch phishing attacks, spam you, steal your identity, or compromise your security. Check haveibeenpwned.com to see if your email was leaked. All you need to do is type in an email address. Check your personal email accounts as well as those of your family members. 

This site also shows the largest breaches and the most current reported breaches.  (09/01/2023)

Avoid Participating in Online Quizzes

Online quizzes have become a significant cultural trend thanks to companies like BuzzFeed. They ask questions like “Which Succession character are you?” or “Do you remember these 90s TV shows?”. However, before engaging with such quizzes, think about doing something else. The reason is that these quizzes are primarily created to gather your data and sell it to marketers, leading to more intrusive and oddly personalized ads appearing on your web browsing. (08/25/2023)

If Your Connection is Strangely Slow For Long Periods, Investigate Why

There are countless factors that can slow down a network connection, from failing infrastructure (both in and outside the home) to bandwidth leaks to unauthorized users sapping your connection from outside. If you frequently experience slower-than-normal internet speeds, go into your router’s settings and look for possible causes.

If you suspect the problem isn’t with you but with your ISP’s external infrastructure, call them. They should be able to run a test from where they are. If they detect a problem, they’ll usually fix it rapidly and without charge, since it’s likely to affect a large area. (08/18/2023)

Help Reduce Eye Strain

All backlit screens emit blue light. While this makes them easy to see in a dark room, over-exposure can lead to eye strain. Looking at a screen right before bed can also harm your sleep patterns because the brain treats blue light as sunlight, telling your body it’s time to wake up instead of sleep.

To avoid eye strain, consider taking frequent breaks and following the 20-20-20 rule: Every 20 minutes, focus on something about 20 feet away for 20 seconds. This simple exercise can refresh the focus of your eyes and help them feel better.

To fall asleep more easily, try to avoid looking at a screen too close to bedtime. The actual amount of time you need away will vary per person, but a good starting point is 30 minutes. (08/04/2023)

Turn Off Information Storage on Your Browser

Many computer users take advantage of the convenience of saving credentials into your browser so you don’t have to enter them repeatedly. This lets you instantly fill out credit card numbers and personal information across all websites. However, all this data is stored in your browser, meaning a criminal can potentially access it.

A far safer alternative is to disable this feature completely and use a password manager. Password managers are separate from your browser and, unlike browser-based credential storage, are always protected by a master password. (07/28/2023)

Put Your Router Somewhere Away From Interference

Where you place a wireless router can make all the difference in its range. While you probably already realize walls, floors, and ceilings can hinder a Wi-Fi broadcast, you should pay special attention to microwaves, fireplaces, and electronic devices such as refrigerators or air conditioners. These can severely distort the signal. (07/21/2023)

Phishing Scams Can Come From Anywhere

While email is perhaps the most common source of phishing attacks, they can come from practically anywhere. Text messages, social media, traditional mail, and even phone calls may all follow the common phisher’s playbook by pretending to be a legitimate source asking for information. Remember: If you’re not sure, contact the alleged source directly with a different communication method. (07/14/2023)

Pay attention to what you’re agreeing to during app installations

It’s common for these free apps to try and sneak in extra software you don’t want during the installation process. For example, a popular cleaning app will attempt to install a partnered antivirus program if you click “I agree” during one of the steps. This can be especially frustrating if you already have an antivirus service installed, as the new service will attempt to replace your existing platform.

The solution? Don’t mindlessly click “I agree” during installations, and read each screen carefully to avoid problems. (07/07/2023)

Avoid Using a Credit Card Swipe if Possible

Modern credit cards often have three mechanisms for in-person purchases – swiping, chip insertion, and tapping. From a security perspective, chip insertion and tapping are much more secure and should be used if available. Mobile tap-to-pay solutions like Apple Pay and G Pay are also very secure. (06/30/2023)

Protect Yourself From Scam Phone Calls By Not Engaging with Unfamiliar Callers

Despite regulations like the National Do Not Call List, the number of these unwanted calls has been increasing. As such, the best way to protect yourself is to not answer phone calls from numbers that you do not recognize. To still be able to connect with legitimate callers, it is advisable to set up a voicemail box with a descriptive prompt. It is likely that scammers will not leave any message or just a few seconds of silence when they call.

The reason answered calls get more and more phone calls is if the call is answered, that phone number is put on a “live” list, or a list for actively answered numbers, which is more valuable to the scammers and can be sold over and over again. 

This one hits close to home, as my mother refuses to NOT answer the phone when it rings, but complains about the number of calls she gets daily. Talk to elderly family members and friends about this and advise them to use the caller ID and their contacts list to screen the calls they want to answer. (06/23/2023)

Have a Backup Browser

You always use Chrome, you always use Edge, you always use Firefox. While having a primary browser is good, having a backup is necessary if a website won’t load properly. However, make sure that you keep all browsers up-to-date. Like any application, don’t install browsers if you are not going to use them. Un-updated software is a way in for the bad actors. (06/16/2023)

Beware of “Spoofed” Web Pages

A common phishing tactic is providing a link that “spoofs” or imitates a legitimate company’s web page. For example, a cybercriminal may claim to be from Google and ask you to enter information on a particular form. This form will look virtually identical to the real thing, but it could be a place to share sensitive information with the criminal. If you’re unsure, type Google.com (or another domain) directly into your address bar to ensure you’re on the official website.

Visit our phishing webpage for examples of how similar-looking web page URLs can look. (06/09/2023)

Location Services Are Usually Unnecessary

Many apps and websites will attempt to access your location, but it’s usually not required to use the service. Take a few seconds to think when that box pops up asking you to Allow “them” to know your location. Don’t share your location with just anyone, and disable location data entirely if you’re especially concerned. (06/02/2023)

Security Questions Don’t Have To Be True

You’re probably familiar with security questions as a way to recover an account online. They’re often questions like, “What is your mother’s maiden name?” or “What is the name of the street you grew up on?” True answers are less secure than fake ones, as anyone with that information could potentially access your account. For these questions, write whatever you want but make sure you remember what your answers were. (05/26/2023)

Set Clear Privacy Rules For Your Social Media Accounts

Normally, by default, anything you post on social media is viewable to the public. If you don’t want everything you say and do to be made publicly viewable, adjust your privacy settings. You can, for example, make your posts only viewable to people you have listed as your friend. You can set some posts to be private, so you’re the only person who can see them, or you can make certain personal information, such as your birthday or employer, private. Check your privacy settings on all your social media accounts once in a while to ensure you’re not sharing more than you mean to. (05/19/2023)

Vacation and Travel Security Tips

As you embark upon your next adventure, remain cyber safe following some simple practices to keep your vacation plans free from cybercriminal meddling.  

GETTING READY TO GO
Use a simple cybersecurity checklist along with your packing routine before you depart for some rest and relaxation.

  • Travel lightly – Limit the number of devices you take with you on your trip. The more laptops, tablets and smartphones you take with you, the more risk you open yourself up to.
  • Check your settings – Check the privacy and security settings on web services and apps. Set limits on how and with whom you share information. You might want to change some features, like location tracking, when you are away from home.
    Set up the “find my phone” feature – Not only will this feature allow you to locate your phone, it gives you the power to remotely wipe data or disable the device if it gets into the wrong hands.
  • Password protect your device – Set your devices to require the use of a PIN, passcode or extra security feature (like a fingerprint or facial scan). This will keep your phone, tablet or laptop locked if it is misplaced or stolen.
  • Update your software – Before hitting the road, ensure all the security features and software is up-to-date on your devices. Keep them updated during your travels by turn on “automatic updates” on your devices if you’re prone to forgetting. Updates often include tweaks that protect you against the latest cybersecurity concerns.
  • Back up files – If you haven’t backed up the data on your devices, like photos, documents or other files, do so before heading on vacation. If your device is lost, stolen, broken or you otherwise lose access to it, you won’t lose all your data. You can back up your data on the cloud, on an external device like a hard drive or, preferably, both.

ON THE GO
After you follow the cybersecurity to-do list before hitting the open road, there are best practices you can follow while exploring to keep your devices, data and accounts safe.

  • Actively manage location services – Location tools come in handy while navigating a new place, but they can also expose your location ‒ even through photos. Turn off location services when not in use, and consider limiting how you share your location on social media.
    Use security wi-fi – Do not transmit personal info or make purchases on unsecure or public Wi-Fi networks. Don’t access key accounts like email or banking on public Wi-Fi. Instead, use a virtual private network (VPN) or your phone as a personal hotspot to surf more securely.
  • Think before you post – Think twice before posting pictures that indicate you are away. Wait until you getting back to share your magical memories with the whole internet. You might not want everyone to know you aren’t at home.  
    Protect physical devices – Ensure your devices are always with you while traveling. If you are staying in a hotel, lock them in a safe if possible. If a safe is not available, lock them in your luggage. Don’t leave devices unattended or hand them over to strangers. Using your device at an airport or cafe? Don’t leave it unattended with a stranger while you go to the restroom or order another latte. 
  • Stop auto connecting – When away from home, disable remote connectivity and Bluetooth. Some devices will automatically seek and connect to available wireless networks. Bluetooth enables your device to connect wirelessly with other devices, such as headphones or automobile infotainment systems. Disable these features so that you only connect to wireless and Bluetooth networks when you want to. If you do not need them, switch them off. While out and about, these features can provide roving cybercriminals access to your devices.
  • If you share computers, don’t share information – Avoid public computers in hotel lobbies and internet cafes, especially for making online purchases or accessing your accounts. If you must use a public computer, keep your activities as generic and anonymous as possible. Avoid inputting credit card information or accessing financial accounts. If you do log into accounts, such as email, always click “logout” when you are finished. Simply closing the browser does not log you out of accounts.

Stay safe this summer and any time when you and your loved ones travel! (05/12/2023)

When Changing Passwords, Make Sure They are Significantly Different Than the Old Ones

It’s a good habit to change your passwords occasionally to keep them from being stolen or guessed. However, if your new password is similar to your old one, it will be easier to guess than if you use something completely different. Don’t just change a few numbers or letters or add one or two symbols if the rest of the password is reused. This doesn’t make your password much more difficult to guess than the one you originally had. (05/05/2023)

Check Your Phone For Unwanted Apps

You buy a new phone already loaded with tons of apps you never asked for or approved. Sometimes, the software can be installed on your phone or computer without your knowledge. It’s a good habit to occasionally check the list of apps installed on your devices and make sure you recognize everything on there. If you see something that looks unfamiliar or you no longer use, uninstall it. Be sure to check the “permissions” for all your apps. This will tell you what the app can access and what it can do with the data it collects from you. Make sure the permissions the app requires match its purpose. If something looks suspicious, uninstall it immediately. (04/28/2023)

Beware of Copycat Apps

It’s all too easy to accidentally install a malicious app on your phone. This could be because an app mimics a legitimate one; for example, if you want the Amazon Alexa app, make sure it’s the official software by Amazon by checking the source and reading the user reviews. Also, be wary of apps that are offered for free, as they may contain malware or viruses. When downloading an app, always check the app’s reviews and check the permissions it requests before installation. Also, make certain it’s from a trusted source such as the official app store for your mobile operating system. (04/21/2023)

Keep a Close Eye on Older Devices

There’s no problem with holding onto a phone, tablet, or computer for a long period of time, but there are two important conditions you should keep in mind. If the device’s support has reached its end-of-life and is connected to the internet, you should seriously consider upgrading to a newer model. This is because devices that meet these criteria are more vulnerable to malware infections, as they contain unpatched security flaws and are no longer supported by the manufacturer.

If it is a UTHSC-owned device, ITS has recommendations on when to refresh that device, along with minimum hardware requirements when you purchase a new one. See the KB article, https://uthsc.teamdynamix.com/TDClient/2280/Portal/KB/ArticleDet?ID=139906 for that information. (04/14/2023)

What does Piggybacking Do?

There are two meanings to “piggybacking”, physical and cyber. The act of physical piggybacking is where someone gains physical access to a facility when they shouldn’t be entering with an authorized person, using their credentials. Cyber piggybacking is doing the same thing, not physically, but using technology to open your internet connection to unwanted users.

If you don’t secure your wireless network, anyone with a wireless-enabled computer in range of your access point could use your connection. The typical indoor broadcast range of an access point is 150 – 300 feet. Outdoors, this range may extend as far as 1,000 feet. So, if your neighborhood is closely settled, or if you live in an apartment or condominium, failure to secure your wireless network could potentially open your internet connection to unintended users. These users may be able to conduct illegal activity, monitor and capture your web traffic, or steal personal files. (04/06/2023)

Understand how “brute force” and “dictionary” password breaches happen

The best way to protect yourself from having your password stolen by bad actors is to understand how they can guess your password — and brute force attacks are one of the most common methods. This is when an automated program attempts to discover your password by entering words often found in a dictionary. If you want to keep your passwords safe, don’t use these. Use made-up words, acronyms, or random strings of characters instead. (03/31/2023)

Unknown USB Flash Drives are Unsafe

Despite their small size, USB flash drives have been used for various nefarious activities, including infiltrating nuclear facilities, infecting power plants’ control systems, and destroying computers with electrical surges. Usually, the talk is about how these drives contain malware that can infect a computer and consequently a network. Five Ecuadorian journalists recently received unsolicited USB drives meant to explode upon activation. Unfortunately, one journalist inserted the drive into his computer, causing it to explode, and resulting in mild injuries.

So the tip? Don’t insert any external drive into your device from an unknown source. If a drive is found on campus, deliver it to ITS in the Alexander Building for examination. (03/24/2023)

Block Unfamiliar Phone Numbers

Phone call spam has gotten much worse throughout the 2020s, with many people receiving multiple scam calls per day. Most smartphones allow specific numbers to be blocked, which is worthwhile for any number that you don’t know and aren’t expecting any calls from. (03/17/2023)

Be Cautious on What You Are Feeding ChatGPT and Other AI Applications

By now, you’ve probably heard about ChatGPT, and other artificial intelligence (AI) applications that talk to you in real, natural language – conversation style. You might have tested it out, asking it to create a story, write a document for you, or just answer a question. However, a new report states that 4% of employees globally input sensitive information into this large language model. So this week’s tip? – be careful about what you type in.

KnowBe4 reported some interesting findings regarding the use of these AI applications. The concern is that these applications will store this sensitive data and incorporate it into later answers or discussions. An example given was someone who inputted their company’s entire strategic plan into ChatGPT asking it to create a PowerPoint presentation. ChatGPT now has all that information. 

At UTHSC, we have a Data Classification Standard to aid everyone in determining how sensitive the data you use actually is. It is your responsibility to safeguard that data and use it appropriately.  (3/10/2023)

Warnings about Installing Software

This week’s tip is a warning about being cautious when installing software. Say you bought TurboTax to use in your tax preparation. During the software installation, there is a screen that states you will be installing other software, such as antivirus, browser extensions, or other applications that have paid the original software company to bundle together. You have to uncheck the boxes NOT to install the additional, unwanted software.

Also, most phones allow you to add apps to them manually, without using traditional stores such as Google Play and the Apple App Store. While these apps may seem useful, there’s no reliable way to tell if they’re completely safe. It’s best to avoid sideloading apps altogether unless you’re completely sure the app is legitimate.

Final word – don’t install anything you are not 100% sure about. (3/3/2023)

Should You Click On Unsubscribe?

Some common questions we get are “Should I click on an unwanted email’s ’Unsubscribe’ link? Will that lead to more or less unwanted email?”

The short answer is that, in general, it is OK to click on a legitimate vendor’s unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.

If you know or suspect the email is coming from a non-legitimate vendor, clicking on any unsubscribe feature is hit or miss. Some of the spam senders consider themselves legitimate businesses and will offer and abide by the unsubscribing rule of their (or their recipient’s home) country. Most will not. Most of the time, clicking on a fraudster’s unsubscribe feature will simply confirm your email address is valid and active and this will likely result in your email appearing for sale in cybercriminal forums for years.

In summary, yes, click on those unsubscribe features when included in legitimate emails from legitimate vendors, but not if the email appears to be from a spam marketer or scam artist. (2/24/2023)

Bookmark Websites

All major desktop and mobile browsers let you create bookmarks for individual websites, which can be clicked from a list to visit the site. It might seem like a minor feature, but it’s a good security improvement since it prevents you from needing to manually type in URLs or click on links in emails or other collateral – you always have a safe copy of the address you can visit with a single click. (2/17/2023)

Review Your Spam Folder Regularly

Modern email spam filters are very powerful and can keep many common threats controlled without them ever hitting your inbox. Still, it’s worthwhile to occasionally take a look at your spam folder to see if the filter is too aggressive and is blocking mail you want to see. Marking items as spam or not spam can help the filter become more precise for your needs. (2/10/2023)

Do You Take Pictures With Your Phone?

n this day and age, you probably do take pictures with your phone. Think about what you are taking a picture of, in terms of sensitive information. If you use your smartphone to snap pictures of sensitive documents, don’t forget that you probably have given many apps access to your photo album and therefore they also have access to these documents. Go to Settings -> Privacy – > Photos -> Check which apps have access to your photo album -> Toggle ON or OFF the access. (2/3/2023)

Avoid Accidentally Revealing Personal Information Online

Be careful when streaming, gaming, chatting online, taking photos, or doing anything else that might compromise your privacy. It’s extremely easy to accidentally reveal your identity and location online. Whether you’re a streamer who does business from their home, a gamer with a microphone, or showing yourself online in any form, take steps to conceal your identity. This means not using your real name, not revealing your location by filming outside, or sharing any credentials. (1/27/2023)

Don’t Sign Up for New Accounts With Your Social Media Credentials

Many sites online will let you sign up for their service quickly through your social media account. However, this gives them access to a lot of information present on that service. If at all possible, sign up with your email address. It may take a little longer, but it’s much more secure. 

Have an email address that is used only for these types of accounts.  One that you expect to get tons of advertisements or spam because it is out there on numerous sites that might sell their email lists to others.  This keeps your personal email that you share with friends and family free of junk. 

There are other practical reasons to do this as well: For example, if you use Facebook to log in to other services, then that login won’t work if the service is down or experiencing technical difficulties. (1/20/2023)

Secure Your Zoom Meetings

Zoom Bombing, when uninvited “guests” show up and disrupt your Zoom meeting, is happening more frequently on campus. Reported disruptions include vulgar language in the chat feature and inappropriate views when their camera was turned on. 

ITS has developed some Zoom security pages in our TechConnect Knowledge Base (KB) to help secure your Zoom meetings and Zoom itself has support pages. Read the full article here.  (1/13/2023)

Stop Using Internet Explorer

As of June 2022, Microsoft has discontinued support for Internet Explorer and is no longer receiving security updates. This makes it dangerous to continue to use it. The application has since been replaced by Edge, the company’s newest browser. If you wish to continue using a Microsoft browser and are still hanging on to Internet Explorer, upgrade to Edge as soon as possible, as it contains a wide range of new security features that can help keep you safe online. (1/6/2023)

Jan 6, 2026