Skip to content

Tip of the Week


Only Provide Your Social Security Number if Absolutely Necessary

Only give out your social security number if it is absolutely necessary and you have verified the identity of the person requesting it.

Your Social Security Number is often requested and used by organizations to help identify you and to access your confidential records. If someone asks for your Social Security Number, ask if there is some other way to verify your identity. Only give your information out if you have verified the requester's identity, for example, by calling a known and publicly posted phone number. Never give out your Social Security Number to an unknown person who calls you. (9/17/2021)

Make Sure You Have Physical Privacy When Sending Confidential Information)

Confidential emails can be read over your shoulder. Be sure you have privacy when sending email.

Not all security and data breaches need to be high tech. Confidential or sensitive information could be gathered by simply looking over your shoulder as you send an email. As an example, banking data could be memorized at a glance by someone walking past. Always make sure that no one else is in view of your screen when you send confidential information. (9/10/2021)

Emails May Not Be From Who They Seem To Be

Don’t automatically trust emails from friends and colleagues.

Malicious users can send emails that appear to have come from anyone. An email from a friend or colleague may have come from a hacked account or have the name spoofed. Contact your friend or colleague directly if you have concerns about an email they have sent to you and do not transmit personal or sensitive data through email. Do not respond directly to the email until certain it came from a valid source.

If you are suspicious of any email in your UTHSC inbox, forward it to for examination, or use the “Report Message” icon in Outlook. This icon is located in the top ribbon, under the Protection area of the Home tab. (9/3/2021)

Always make sure that you connect to the right Wi-Fi network

Network names may be misleading. Whenever you’re connecting to a new Wi-Fi network, you should ask someone what the correct Wi-Fi name should be. You should never assume based on name which Wi-Fi connection is the correct one; anyone can create a Wi-Fi access point under any name designed to collect information. A Wi-Fi network named “CoffeeShopGuests” at a coffee shop may be created by someone who is actually down the street. Once you are connected to a Wi-Fi access point, the data you transmit can become vulnerable. (8/27/2021)

How to FIND and DELETE Old, Unused Accounts

We all have accounts we no longer use, but some apps and website make deleting your profile very hard to do. Ignoring them is easier, but that creates a major security threat to your personal information. We preach all the time about know where your data is so that you can protect it. The first problem is finding these old accounts. Then you have to take the time to delete the account.

Some of this is complicated, so here is the article from which this information is coming: 

Step 1 - How to Find Old Accounts

The first place to search is in your web browser. Most modern browsers can save login info for any websites you access, and you can quickly find any accounts you’ve saved from the settings menu. Here’s where to look in Chrome, Edge, Firefox, and Safari:

  • Chrome: Go to Settings > Passwords.
  • Edge: Go to Settings > Profiles > Passwords > Saved Passwords.
  • Firefox: Go to Preferences > Privacy & Security > Saved Logins.
  • Safari: Go to Preferences > Passwords.

Also check social media accounts profiles that you might have used to log into accounts using those credentials:

  • Apple ID: On your iPhone or iPad, go to Settings > Password & Security > Apps Using Your Apple ID.
  • Facebook: Go to Settings > Apps and Websites.
  • Google: Go to then click “Security.” Check under “Third-party apps with account access” and “Signing in to other sites.”
  • Instagram: Go to Settings > Security > Apps & Websites
  • Twitter: Go to Settings and privacy > Account > Apps and Sessions > Connected Apps.

Step 2 - Recover Your Passwords

It is has been years, you probably don't remember the password, but you need to be in control of the account in order to delete it. Hopefully you still have access to the email address used when setting up these accounts, so a "recover username" or "recover password" link is helpful. 

Step 3 - Delete the Account

This is where it gets complicated, as different accounts will have different ways of deleting information. And they want to keep your data, so they make it hard to do. Read the article ( - if you didn't see it up top) for suggestions on how to delete some accounts, but if you have no luck, contact that company and have them do the work.  (8/20/2021)

Trust your Gut Feelings

Often, you may pick up on suspicious situations subconsciously before you can consciously recognize them. If you feel troubled by an email, instant message, or even phone call you should trust yourself and investigate further. You may be the target of a scam artist. There is nothing to be lost by checking.

Contact the Office of Cybersecurity at or the ITS Service Desk at 901.448.2222 for assistance. (8/13/2021)

If Your Credit Card is Rejected, It May Be a Sign of Identity Theft

Having your credit card inexplicably rejected isn’t just embarrassing–it can also be a warning sign. If your credit card is rejected you should immediately call the number on the back of the card to talk to your credit card company or bank. Your credit card could have been frozen due to suspected identity theft. Many banks will freeze your credit card if they see you making purchases in an area far away or completing transactions that are otherwise unusual for you. Your card could also potentially be declined because an identity thief has maxed it out. Either way, you will want to resolve the situation quickly. (8/6/2021)

Staying at a hotel? Store devices in a safe, locked location

Criminals prey on people who are traveling, and if they get a hold of your laptop, tablet, or smartphone in your hotel room, they may access your organization’s sensitive data. Any time that you need to work remotely and are staying in a hotel, protect your organization’s information by storing all devices as securely as possible. If there is no safe in your room, ask the front desk if they have a general-purpose hotel safe that you can use. Secure your items by locking them up in luggage when they are not in use. (7/30/2021)

Criminals Impersonate People You Know Via Social Media

Cyber thieves will try to make you think they are a known friend via social networks. If you receive a suspicious email or post via sites such as Facebook or Twitter, be prepared and be on guard. A hacker may have taken over your friend’s account, and be using it to send out messages to every contact to scam them out of money. For example, you may get a message that a friend who is traveling abroad, has lost his luggage and wallet and needs you to transfer funds immediately to help him get home. Before taking action, respond by verifying the message is real. And by that, we mean use another means besides responding to a message that might be controlled by the criminal.  (7/23/2021)

When It Is Okay to LIE

We have been taught from an early age to always tell the truth. However, there is an area in cybersecurity where you are encouraged to lie – Security Questions. These pesky questions like “mother’s maiden name” and “name of your high school” are designed to prove you are really you, but are the true answers easy to find?

SPAR – Security Preparedness and Response

Just like you must protect your passwords, you must protect any data that can easily identify who you are from those wanting to steal your information and identity. Therefore, be prepared to use false information in answering these security questions. Respond to these question with false information.  The trick is you have to remember your lie. Make the answers something only YOU would know.

Finding personal information on the web has never been easier. We share too much. If a hacker wants to steal your identity, all they need to know are the answers to these questions to take over accounts and lock you out. (7/16/2021)

Protect your Data with Regular Backups

Protect your data with regular backups. External drives and off site backups will ensure data is protected.

Many things can lead to a loss of the data on your computer. Fires, floods, earthquakes, and even something as simple as a damaged hard drive could erase all of the information you have. Be prepared to protect yourself  with an external drive and protect yourself off-site with web backups or cloud backup solutions. Remember that your backups should be password protected and encrypted just like your computer is.

How should you respond to the loss of data? For UTHSC devices, contact ITS to start the process of investigation and remediation. For personal devices, contact the seller or manufacture to troubleshoot the issue if you don't immediately see what the problem is, i.e. you had a flood. Purchase protection plans may cover repairs. (7/2/2021)

Web Browsers – Only Use the Latest Version

This week’s tip is a reminder about using older versions of web browsers. DON’T DO IT! Old web browsers may have unpatched security issues that have been discovered, creating a high risk for yourself and UTHSC if used. Use only the latest version of a browser to access the web. Also, set browsers to auto update to the most recent version so your computer is protected from new exploits.

Another tip – if you have multiple browsers on your machine, i.e. Internet Explorer, Edge, Mozilla Firefox, Google Chrome, Apple Safari, but you don’t launch and use them regularly, remove them. They are a vulnerability to your device. (While you are at it, remove ANY application that you don’t use. Why keep it?)

Did you know that Microsoft will end support of Internet Explorer 11 on June 15, 2022? The newer replacement from Microsoft, Edge, has been available for years and will continue to be supported after IE is retired.

Our Patch Management Team does push out updates for certain applications and operating systems to UTHSC devices. Apple device updates are pushed through the cloud. However, Windows machines must be connected to the UTHSC network in order to get the updates. Per policy, UTHSC devices should be powered on over the weekend to receive these updates. If working remote, they need to be connected through the UTHSC VPN. (6/25/2021)

Avoid Ransomware Through Good Security Habits

Some malware programs will require that you pay to unlock your system. Avoid “ransomware” through good system security habits.

Malware programs called “ransomware” will infect your computer and demand that you pay a “ransom” to the creator of the program to remove it. Paying the ransom will only give the creator of the program access to your personal and financial information. You can avoid ransomware by keeping your operating system updated, using an antivirus program and conducting regular system scans. Most of the time, ransomware can be removed the same way as malware using an antivirus program. Sometimes a more thorough “cleaning” is necessary.

If you think you are a victim of ransomware on your UTHSC device, contact the Office of Cybersecurity (, 901.448.1880) immediately for remediation. More information on how to prepare and respond will be coming next week.

All of these weekly tips are stored on the Office of Cybersecurity’s Tip Archive. As there are almost four years worth of tips, to find one on a certain topic you can use the Ctrl+F (Windows) or Command+F (MAC) to search the page. (6/18/2021)

Securely Using Mobile Apps

This tip comes from the SANS OUCH! Newsletter

by Domenica Crognale


Mobile devices, such as tablets, smartphones, and smartwatches, have become one of the primary technologies we use in both our personal and professional lives. What makes these devices so powerful are the thousands of apps we can choose from. These apps enable us to be more productive, communicate and share with others, train and educate, or just have more fun. Here are steps you can take to securely use and make the most of today’s mobile apps.

Obtaining Safe Mobile Apps 

Cyber criminals have mastered their skills at creating and distributing malicious apps that appear to be legitimate. If you install one of these apps, criminals can often take complete control of your mobile device or data. This is why you want to ensure you only download safe mobile apps from trusted sources. What you may not realize is that the brand of mobile device you use determines your options for downloading apps.

For Apple devices, only download mobile apps from the Apple App Store. The advantage here is that Apple does a security check of all mobile apps before they are made available to customers. While Apple cannot catch all malicious apps, this managed environment dramatically reduces the risk of downloading one. In addition, if Apple does find an app that it believes is malicious, it will quickly remove it.

For Android devices, only download mobile apps from Google Play, which is maintained by Google. Similar to Apple, Google does a security check of all apps before they are made available to customers. The difference with Android devices is that you can also enable certain options that allow you to download mobile apps from other sources. We highly recommend against this since anyone, including cyber criminals, can easily create and distribute malicious mobile apps and trick you into infecting your mobile device.

Regardless of which brand you are using, research an app before downloading it. Look at how long the mobile app has been available, how many people have used it, and who the vendor is. The longer an app has been publicly available, the more people that have used and left positive comments about it, and the more often the app vendors update it, the more likely the app can be trusted. In addition, install only apps you need and use. Ask yourself, “Do I really need this app?” Not only does each app potentially bring new vulnerabilities but also new privacy issues. If you stop using an app or no longer find it useful, remove it from your mobile device (you can always add it back later if you find you truly need it).

Apps Privacy and Permissions 

Once installed, make sure the app is protecting your privacy. Does that app really need access to your location, microphone, or contacts? When you enable permissions, you may be allowing the creator of that app to track you, even allowing them to share or sell your information to others. If you do not wish to grant these permissions, simply deny the permission request, grant the app the permission only when it’s actively being used, or shop around for another app that meets your requirements. Remember, you have lots of choices out there.

Updating Apps 

Mobile apps, just like your computer and mobile device operating system, must be updated. Criminals are constantly searching for and finding new weaknesses in apps and developing ways to exploit these weaknesses. The app’s developers create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. Most devices allow you to configure your system to automatically update mobile apps. We highly recommend enabling this setting. Mobile apps are key to making the most of your devices. Just be careful of the ones you select and make sure you use them safely and securely. (6/11/2021)

Don’t Be Afraid to Say No

Social engineers prey on the good-mannered. Don’t be afraid to say no.

Social engineers try to convince people to do things by preying on their urge to be good-mannered and polite. If someone asks you to give them personal information or to give them access to confidential information, don’t be afraid to be direct and say no. A social engineer encounter can be through telephone, email, or even in person. Anyone suspicious should be denied access until you can verify their identity. (6/4/2021)

Insider Threats are Real – Data Breaches do Occur from Within

Data breaches from within do occur. Limit access to sensitive information on a need to know basis.

To combat the malicious insider threats, limit the access of sensitive data on a need to know basis. Don’t send any data to someone who does not need to work with this data and is not authorized to access the data. If in doubt,  consult with your supervisor regarding who has access to what information. More information about insider threat can be found  on the Office of Cybersecurity’s webpage.

Now, about The Inside Man.  The series is about an IT security analyst starting a new job where no one suspects he is already inside their most secure systems or that sinister forces are pulling his strings. This series delivers an entertaining, movie-like experience with a compelling story. It is available on Amazon Prime and runs 1 hour and 17 minutes (set in London, so the British accents are a plus).  It engages in topics that are more than just work related, so watching as a family is highly recommended.

A different security issue is addressed in each of The Inside Man episodes and include:

  • Episode 1: The New Guy –> Issue: Social Engineering
  • Episode 2: Social Hour –> Issue: Social Media
  • Episode 3: On Our Side –> Issue: Phishing Attacks
  • Episode 4: Surprise –> Issue: Document Disposal
  • Episode 5: Takeaways –> Issue: Clear Desktop Policy
  • Episode 6: Masquerade –> Issue: Cloud Services
  • Episode 7: Buying Time –> Issue: Passwords
  • Episode 8: Taken –> Issue: Ransomware
  • Episode 9: Where The Wild Things Are –> Issue: Travel
  • Episode 10: Keep Your Friends Close –> Issue: App Security and Permissions
  • Episode 11: The Sound Of Trumpets –> Issue: External Devices
  • Episode 12: Checkmate –> Issue: Insider Threats


Don’t talk about sensitive information in public

People may be listening to you speak. Don’t talk about sensitive information when in public.

When you’re in public and speaking on your mobile phone anyone could be listening. Don’t discuss sensitive information such as workplace information or personally identifiable data while you’re in public.  Someone could gather enough information from you to either log into one of your accounts or even steal your identity. Instead, excuse yourself from the conversation until in private.

I personally think of this every time I pick up a prescription. The pharmacist or tech as for my last name and date of birth. I take a moment to look around and if ANYONE is within listening distance, I ask for a piece of paper to write it down, then take the paper to shred later. I’ve started some great discussions with people asking why I do that. (5/21/2021)

Devote a Single Credit Card for Online Purchases to Minimize Risk

Stay one step ahead of thieves: devote a single credit card for online purchases to minimize your risk.

If you have more than one credit card, it might be tempting to use them all when you are shopping online at different sites. However, it’s prudent to designate one credit card for all your Internet transactions. That way, if an organization you’re buying items from is attacked by hackers, you will only need to report one credit card stolen to your financial institution and you’ll easily know which of your credit cards is affected. Additionally, you’ll still be able to use your other credit cards to purchase vitally needed goods and services while you await replacement of the stolen card. (5/14/2021)

Use Pass Phrases instead of Passwords

Pass phrases are more secure than traditional passwords. Use long pass phrases when securing sensitive data.

A pass phrase is a long phrase that is used in place of a password, such as “IamGoingtoEataPie!” Pass phrases are easier to remember than traditional passwords and more difficult for a hacker to guess. Use proper capitalization and punctuation in your pass phrase to increase its complexity and make it even more secure. Use a phrase that you’ll find easy to remember and resist the urge to write it down or store it in a  computer file.

Learn more about passwords and view some resources on the Office of Cybersecurity’s password webpage. (5/7/2021)

Never plug in a free or found USB drive into your computer

USB drives can carry viruses. Never plug in a free or found USB drive into your computer. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. You should never plug in a USB drive that you have received for free or found somewhere on campus; even if the USB drive was found at UTHSC, it might still have a virus on it. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place.

If you find a USB drive on campus, turn it into ITS (6th floor, Alexander) for review. (4/30/2021)


Do not install software on your UTHSC owned device unless it has been approved

Unauthorized software can contain viruses and other forms of malware, and can cause conflicts with other applications. The software must be properly accounted for and follow proper licensing requirements. If you need software that is not approved or authorized for your computer, contact your supervisor or Procurement’s webpage for more information. (4/23/2021)

Legitimate emails usually don’t demand immediate action

If an email is sent to you that requests that you take an immediate action, you should be skeptical. Rather than responding to the email, you should call or otherwise directly contact the sending party for more  information. Immediate action is usually used to make you rush, so that you don’t notice other warning signs and wants you to make a response based on emotions, not logic or training. (4/16/2021)

Never Let a Stranger Use Your Computer or Mobile Device

Strangers on your computer may attempt to access confidential files. Never let a stranger use your computer.

Strangers may attempt to gain access to your computer so that they can access sensitive or confidential documents. They may give you a reason that they need to use your computer, such as a personal favor. Anyone on your computer will have access to the files and systems that you have access to. You should never let a stranger access either your work or home computer. (4/9/2021)

Encrypt Sensitive Information when Emailing

This week’s tip is a reminder that if you email sensitive information, you need to encrypt that email or use the UT Vault. Even if you are emailing another email address, encryption is still very necessary.

Information on using encrypted email can be found on the Office of Cybersecurity’s webpage.

Information about using the UT Vault can be found in the ITS Service Catalog about the Vault.

If you are unsure about the classification of the data you are sending, reference our Data Classification and Data Security standards.

Remember that your UTHSC email is not your personal email and is subject to disclosure and audit. Protect the data for which you are responsible. (4/1/2021)

Viruses Can Infect a Device in Many Ways

There are many ways in which malware may infect a system. USB drives, emailed files, instant messaging, web links, and applications are all among the major ways that a virus may be introduced. Comprehensive antivirus utilities may be used to scan risky files, and you can protect yourself and your system by avoiding any links, files, and removable media devices. (3/26/2021)

Don’t Unsubscribe from Unsolicited Emails

Spam emails may use the “unsubscribe” option to determine whether your email address is active.

Spam emails may prompt you to unsubscribe from them. When you click the unsubscribe link, you could potentially be redirected to malware. The Spam sender could also use your response to determine your email account is active; they could then either continue sending you emails or even sell your email to another spammer. Don’t unsubscribe from unsolicited emails. Just delete them. (3/19/2021)

Streaming Services and Malware

The idea for this tip was thought up with the start of March Madness and people trying to stream games from any website that will let them. Unfortunately, there are apps that let you watch illegal pirated content, and hackers are using those apps to spread malware.

If malicious software on the pirate app gets inside your wireless network, it may try to infect other devices connected to your network. That could put at risk the computer you use for sensitive transactions like online banking or shopping. It could also expose your photos and other personal information. The malware could allow hackers to:

  • Steal your credit card information and sell it to other hackers on the dark web.
  • Steal the log in credentials for sites you shop on and go on a spending spree.
  • Steal the log in credentials for your bank account and steal your money.
  • Use your computer to commit crimes.

Malware may also make your computer slow or non-responsive, serve pop-up windows or ads, or take you to sites you didn’t want to visit.

If you want to avoid downloading malware when you stream video, don’t watch pirated content. Period. Not online and not through a video streaming device. (3/19/2021)

What to Do Before You Get Rid of Your Cell Phone

Back It Up

If you’re going to upgrade, sell, give away, or recycle your phone, the first thing you should do is back up your data.

Remove SIM and SD Cards

If your phone has a SIM card, it may store your personal information. Remove the SIM card. If you’re going to keep the same phone number, you may be able to transfer your SIM card to your new phone. If you’re not going to re-use the SIM card, destroy it.

If your phone has an SD memory card for storage, remove it.

Erase Your Personal Information

Remove the information from your phone by restoring or resetting it. Make sure you erased things like your contacts, text messages, photos, videos, and your search and browsing history.

Disconnect From Accounts and Devices

After you erase the information on your phone, make sure you’ve disconnected it from devices and accounts.

  • Confirm that your account or Wi-Fi passwords aren’t still stored on the phone.
  • Check that your phone isn’t paired with other devices, like a watch or a vehicle.
  • If you use you 2-step verification or multi-factor authentication to log in to any accounts, remove your phone from the list of trusted devices.
  • If you’re not keeping your phone number, change the number on file with any accounts or services that may be using it to identify you.

Recycling Your Phone

If you aren’t going to trade in, sell, or give away your phone, consider recycling it. The Environmental Protection Agency has information about where you can recycle your phone. You can also check with the phone manufacturer, your wireless service provider, or a local electronics store.

The entire article can be found on the FTCs website. And always, you can contact the Office of Cybersecurity at for more information. (3/12/2021)

PIN Codes Need Protection Just Like Passwords

Use caution when disclosing personal information such as PIN codes. These codes, just like passwords, need to be protected and never shared, even with your bank. Be mindful of your surroundings when entering a PIN. Make sure no one is watching. (3/5/2021)

Never Reuse Passwords – Consider a Password Manager

If you reuse passwords, a breach of one account becomes a breach for all of your accounts. Never reuse your passwords.

Easier said than done? Consider using a password manager.

According to research done by NordPass, a password manager company, the average person had 70-80 passwords in 2020. Anyone would be tempted to reuse passwords for different accounts. No one can remember that many, especially if the accounts are ones not frequented daily. A password manager can help.

Password managers are just what the name implies. They help manage passwords. They can create long, complex passwords for you and store ones you create yourself, all within an encrypted vault. When you need a password to access an account, the password manager has it for you (without looking at a sticky note).

Word of caution – you need a good password for your password manager and you must remember it.  You cannot access all those passwords you stored without it.

The Office of Cybersecurity does not have a specific recommendation for a password manager, but PC Magazine has conducted a good evaluation on what is on the market now. (2/26/2021)

Emotions Play a Part in Phishing Attempts

Social engineering is the art of human manipulation. Bad actors know that if they can make their targets FEEL something, whether fear, excitement, worry, jealously, or a host of other emotions, they can make those targets act before thinking. They have hooked their phish. Check out the Office of Cyberscurity’s Phishing webpage  for a quick 1:21 minute video about how this all works. While on the page, review how to spot a phish and how to write emails that don’t look phishy (as well as other great information). (2/19/2021)

Clean Up your Data

Call it a New Year’s Resolution, Lenten Resolution, or just Spring Cleaning, you should periodically review files you have to see if you still need them. Information that is no longer needed, especially if it is sensitive or confidential, should be deleted. It is just good cyber hygiene. (2/12/2021)

Let’s Talk Email (Signatures and Contacts)

This week’s tip is a 2-for-1 deal. First, a reminder that UTHSC has a standardized email signature, and there are security reasons why to use it. Second, it is time to clean out old contacts and groups from your Contact list. Why give yourself an opportunity to send information to an unintended audience?

Email Signatures

Using standardized email signatures is a simple and effective tool that aids in detection of phishing attacks. When all members of an organization follow the format of applying their email signature line consistently across the enterprise, it serves as a quick visual check that an email may or may not be legitimate.

Although it is easily duplicated by a nefarious actor; any deviation to the standard email signature format can serve as one more red flag that the email you received is a phishing attack.

UTHSC does require a standardized email signature line. You can find a tool HERE (NetID and Password required) which formats this required email signature for you. For more tips on how to spot phishing emails, and how to report and respond to them, and other cybersecurity tips visit the Office of Cybersecurity webpage HERE.

Old Contacts or Contact Groups

We all want to work smarter, not harder. An easy way of doing this is creating Contact Groups in Outlook (or other email platforms) for ease of sending emails to the same group of people consistently. However, as jobs and responsibilities change, keeping those old groups may lead to sending information to the wrong people, potentially causing harm to the University. Deleting old contact groups or reviewing and updating ones still needed are good security practices to make sure your communications are only going to the correct individuals. (2/5/2021)

Be very wary of anyone wanting to remote into your computer

One social engineering technique is a scammer advising you that your device has a virus or been doing something suspicious. They pretend to be from a reputable company and offer to help clean up the problem. All they need is remote access to your device, and $$$$$ (credit card number) to assist you. DON’T FALL FOR IT!

There is always a worry that your device will become infected or compromised in some way. Having someone call you, with a sense of urgency, offering to fix an issue may seem like a wonderful idea. But what they are after are a few things:

  • credit card information or banking information, to pay for the “service” they are providing
  • access to your device in order to steal your personal information
  • access to your device to download malicious software, to make it do whatever they want
  • many, many other bad things

The Office of Cybersecurity has a Compromised Computer webpage with tips on what to look for if you think your device may be compromised. Don’t take the word of someone on the phone that you have never met that there is something wrong with your machine. Just like with any other social engineering attempt, verify who that person is by another means, i.e. calling the company back using a known phone number (NOT one they give you over the phone). (1/29/2021)

Social networks can be used to spread malware

Never click on unknown links or download files through social media accounts.

Links and files on social networks can include viruses and malware. Never click on links from people that you don’t know and don’t download files that are sent to you through a social media platform. Be skeptical  of any links that look unusual, such as a link that comes from someone you haven’t spoken to in a long time. Even someone you know could have their account hacked and used to send out malware.

If you think your device may have malware or compromised in some way, we have advice at Compromised Computers or Devices. (1/22/2021)

Block scammers to reduce the risk of them contacting you again

You got an email/text/phone call/instant message that you know is a scam. What do you do? First, don’t respond to them in any way. By responding to a scam in whatever format they try to contact you, you let them know that there is an actual person at the other end. You have just elevated yourself in the eyes of the scammers.

Once you have identified someone as a scammer you should block them to prevent them from contacting you again. On most instant messenger services, you can simply right click on the person’s name and then select the “block” option. This will ensure that they cannot contact you or even see you online. You can also block emails by going into your options and adding the person’s email address to your “Blocked Addresses” lists. If you do not block a scammer, they may continue bothering you or sending you potentially harmful files and links.

Report any suspicious messages received via official UTHSC means to

Visit the Office of Cybersecurity’s redesigned webpage for more information about this and other awareness topics and resources we provide. (1/15/2021)

Keep your computer secured and learn to recognize the signs of infection

A virus or malicious program may not directly damage your computer but may instead turn it into a zombie. A zombie computer is a computer that a hacker can direct to complete certain tasks, such as attacking another target. Always keep your devices secured with antivirus protection to avoid this and complete a full system scan if you suspect your computer has been compromised. A compromised computer may begin running sluggishly, start crashing or begin performing tasks on its own.

UTHSC devices should have Carbon Black installed. You can check to see if it is installed by searching your applications. For Windows, it will be an icon in the bottom right hand corner of the screen (you may need to click on the up arrow), or go to the Start button and start typing Carbon Black.  For MACs, the CB icon would be at the top of the screen, or look in /Applications for the folder “VMware Carbon Black Cloud”.  Contact the ITS Help Desk (901.448.2222) if you don’t see Carbon Black on your UTHSC owned device.

For personal devices, anti-malware and antivirus protection should come from a reputable source. Windows 10 has Windows Defender already built into the operating system.

Students are eligible for one copy of the standard consumer version of Malwarebytes, provided at no additional cost to each student. Obtain your personal copy of Malwarebytes by going to and entering your address.  You will be emailed a link to download Malwarebytes. (1/8/2021)

Social Networks Can Be Used to Spread Malware

Links and files on social networks can include viruses and malware. Never click on links from people that you don’t know and don’t download files that are sent to you through a social media platform. Be skeptical of any links that look unusual, such as a link that comes from someone you haven’t spoken to in a long time. Even someone you know could have their account hacked and used to send out malware. (12/18/2020

Update your browser extensions and plugins

Old browser plugins may have security vulnerabilities. Update regularly to protect your computer. For your UTHSC windows device, connect it to the VPN over the weekend to get updates. MACs are updated through the cloud. But don’t forget about your personal devices! Browser plugins, such as Flash, Java, and Acrobat, may become out of date and represent a security risk.

Update them on a regular basis or set them to update themselves automatically to ensure your computer is protected. Make sure to restart after updating.

A simple Google search will give direction on how to update whichever browser you use. Make sure you update all the browsers on your device. (12/11/2020)

NEVER Share Your Password

Even if you trust someone, you should never give out your password. Your communications could be intercepted, the other person may write your password down or save it somewhere, or the other person’s computer may be infected with malware. You cannot control what happens to your password after you give it out. The only solution is to never share your password with anyone else, regardless of how much you trust them. No one should ever need your password. (12/4/2020)

Children and Online Dangers – Educate Them Early

Children will face many dangers online: cyberbullying, predators, and even oversharing. Teach the children in your family about the risks they face online once they begin using the Internet, and encourage them to always follow their instincts and talk to an adult if something does not seem right. Monitoring their Internet usage and social media accounts will reduce risks further. (11/25/2020)

Holiday (Online) Shopping Reminders

With the upcoming holiday season, many of us will be searching for the ideal gifts that are “all the rage” and will be appreciated. We all know online shopping has become easier, especially with the increased use of mobile devices. Unfortunately, this is also the season where cyber criminals are on the lookout, creating fake shopping websites to scam and steal, infiltrating home networks, and even taking advantage of those recently received gifts such as smart home devices and smartphones.

So, while you’re out there deciding on the perfect gifts, use some holiday reference to remember these tips:

There’s no place like home for the holidays… for safer online shopping. Ensure your Wi-Fi Access Point (WAP) is secure!

  1. Change the SSID (Service Set Identifier) from the default router name to one unique to you and not easily guessed by “roamers.” Check your instructions that come with your router or call your provider for help.
  2. Also, change the default administrator password to the router.  Leaving a default passphrase unchanged makes it much easier for hackers to access your network.
  3. Ensure the passphrase is strong and remember – you only need to enter the password once for each of your devices!
  4. Many wireless networks support what is called a Guest Network. This allows visitors to connect to the Internet but protects your home network, as they cannot connect to any of the other devices on your home network.
  5. The next step is knowing what devices are connected to your wireless home network and making sure all those devices are secure.
  6. Hackers are making their list, checking it twice, and going to find out who’s locking their device…. the bad guys look for unlocked and unsecured devices, exposing your personal information to peeping and snooping eyes.
  7. If your locked device is lost or stolen, the lock itself will be the first line of defense against a security breach, and the screen lock enables encryption.  Depending on your device, you can set screen locks by:
    1. PIN
    2. Password/Passphrase
    3. Fingerprint / Facial Recognition

Also, if you’re one of the lucky ones to receive a new device as a gift, remember:

  1. Keep the device updated and even enable automatic updating.
  2. Only download mobile apps from trusted sources; the bad guys create mobile apps that appear to be legitimate but are actually malware.
  3. If you’re disposing of a mobile device, or even passing it down to someone not as lucky, ensure it is wiped!  That device has a wealth of information on it; wipe before disposing it.
  4. If you get a new phone, be sure and add it to your DUO account. For information about DUO, see
  5. And – above all – To stay healthy and wealthy, you’ve got to be wise…. Keep your cyber smarts, be vigilant while out there in the internet mall.

Maintain your cyber hygiene, exercise caution just as you would with your belongings in a crowded store.  Keep your cyber information secure while enjoying safe holiday shopping online, and be mindful to:

  1. Do business with retailers you trust and even purchased with in the past.
  2. Cyber Monday, Black Friday – while we’ll see a host of awesome deals, compare prices and pictures of your preferred merchandise.
  3. Don’t use your debit card for online purchases; credit cards usually provide better liability protection both online and offline.
  4. Check up on Holiday Hackers – set up credit card statement alerts and review your statement at least once a week. (11/20/2020)

Back up key data on your mobile devices on a regular basis

Last week’s tip was about ransomware and a reminder to back up your data regularly. This week’s tip is a reminder to don’t forget the data that is on your mobile devices also.

Just as you must back up the data on your desktop or laptop computer in case of hard drive failure, loss, or theft, it’s equally important to back up the crucial data that you store on your mobile device. Otherwise, this data could be lost forever if your mobile device is lost, stolen, or suffers a hardware failure. (11/13/2020)

Worried about Ransomware? Try the 3-2-1 Defense

The threat of ransomware is becoming more and more real. Whether the bad guys get in through a phishing email or by exploiting a vulnerability due to an unpatched machine, the idea that our/your data is locked up and can’t be accessed is a scary one.

What is the 3-2-1 defense?  It is pretty easy actually.

  • 3 copies of important data on
  • 2 different types of media, with at least
  • 1 of these copies off-site. 

What does this mean to you?  Take tax returns for example. You use software to create and file your federal income tax return. You store one copy on the computer you are using. Print out another copy and keep it in a secure place inside the home. Copy the electronic file to an encrypted external hard drive, thumb drive, USB stick and store that at a family member’s house. 3-2-1.

If you have any questions about ransomware or any other cybersecurity topic, the Office of Cybersecurity can be reached at or 9001.448.1880. (11/6/2020)

Vishing – the Art of Phishing using Voice

A quick word of warning. Vishing, or voice phishing, is real, and you have probably been inundated with it. Also known as phone scams, these types of social engineering attempts work because it is easier to persuade someone to do something outside of normal behavior through voice than written word.

Have you or a family member gotten a call from the “Social Security Administration” that your account has been suspected of fraudulent activity and is suspended?  How about from your local power company saying your bill is delinquent, but can be paid with a gift card.

Bottom line, not all scams come via email. Don’t let yourself get suckered into taking action based on an unexpected phone call. Verify the information, not by ANY contact information the caller gives you, but from a known source, like an invoice or reputable web page. (10/30/2020)

Phishing - Can't Mention It Enough

Do we mention phishing too much? Doesn’t everyone know how to spot a phish by now? Apparently not. We still have way too many people who will fall for a phish. Want to know more about phishing, such as how to NOT fall for one, what are common themes, what different terms mean, and how to write an email that doesn’t sound phishy? Check out

Report any suspicious correspondence to We can check to see if it is a legitimate email or a threat to our campus.(10/23/2020)

What to Report?

The quick answer is “anything suspicious”. But, if you want a more detailed explanation, see the Office of Cybersecurity’s webpage, What to Report. (10/9/2020)

Cleaning Out Your Old Data and Devices

During National Cybersecurity Awareness Month, these tips are going to be a little more in depth on specific steps you can take to help yourself be cybersecure. Today we look at old data and devices. Whether digital (old online accounts) or physical (old devices), not keeping information current exposes you to a lot of risk in the cyber world.

The Center for Internet Security (CIS) has created a newsletter concerning old data and devices. The information is below, but the original article can be found here in case you want to subscribe to their newsletter yourself or look at past articles.

Cleaning Out Your Old Data and Devices

Over the years, many of us have accumulated a mountain of CDs, hard drives, devices, online accounts, and other mediums that store information that are out there and unused. Outside of the key information you kept stored on purpose for long term use or retrieval, it is good to periodically assess and dispose of unneeded storage media and information. These days, information may be split between physical items you have in your possession and online accounts or cloud-based storage. This month’s newsletter will provide some details on how to manage your information and data, as well as how to safely dispose of those pieces you do not need any longer.

Cleaning up Online Accounts and Cloud Storage:

  • Clean your social media presence: It may have been years since you logged into an old social media platform that you no longer use. If that’s the case, consider removing any personally identifiable information like address, date of birth, and other less sensitive details from the account. Furthermore, consider closing the account entirely if you don’t think you’ll have reason to use it anymore. The fewer places you have personal information stored online, the better!
  • Keep your social media presence clean: On social media accounts that you still use, minimize the amount of personal information that you display. In particular, minimize how visible your information is to any untrusted individuals. This is especially important as those who are not approved to be your friend or contact on the platform will be less likely to view your personal information. Most sites offer this as a privacy option in the settings for your account.
  • Close old shopping and rewards accounts: If you do not plan on shopping on a particular site, please consider removing any payment or personal information and closing the account. If you rarely shop on a web site, consider if it’s necessary to maintain a user account. Most retail sites have a guest account option for temporary use and lessens the likelihood of your information being saved.
  • Cloud storage and files: Many of us use cloud storage services of some sort, whether just for storing our photos from our devices, or for backing up and storing important files. Consider clearing out data and information periodically from these storage accounts that you will not need access to in the future.

Physical Storage – Digital and Paper:

  • CDs, DVDs, Floppy Disks, and other plastic disk media: CD and DVD discs can be shredded in many common household paper shredders (check to ensure your shredder is rated for this). After validating if you need the information or not, consider this best and irreversible method for destroying the unneeded information and the medium. Floppy disks (if you still have any!) can be destroyed by splitting open the plastic casing, removing the soft disk itself, popping out the metal hub, and then feeding the soft disk without that metal center into a household paper shredder.
  • Hard disk drives, Solid State Drives, and USB flash drives: When you are looking to get rid of an old computer (or another device with a hard drive) that you perhaps don’t use anymore, you should properly clean your data off the device before disposing of it or selling/donating it. You will want to ensure you properly move those family photos, important records, and everything else you want to keep onto a newer device or a disk/thumb drive before beginning the process of cleaning the data off. Next, you will want to either physically destroy the drive or perform the proper process of overwriting by using a utility to permanently erase the data. For physical destruction of drives, either utilize a paid service to properly destroy the device, or follow the US-CERT guidance linked below. For overwriting or permanent erasure of data, there are many software utilities available to perform these operations, some of which may be included with your operating system. US-CERT also provides guidance on some utilities and ways to do this properly. It is important to follow this guidance because simply moving files to the recycle bin or hitting delete doesn’t make them permanently as the information can be easily recovered if that’s all that has been done! This means your sensitive data is still possibly available to a malicious actor.

Smartphones, Tablets, Gaming Consoles, and other devices:

Perform a “hard reset” which will bring the device back to factory settings and remove your data securely. Always ensure no accounts are permanently logged in on the device. You can consult the maker of the device when seeking guidance on how to locate this setting or utility for that particular make and model.

Don’t Use Personal Information in Your Username

Revealing any personal information can be dangerous. We’ve warned everyone in the past about using birthdates, names of kids or pets, and other personal information when creating passwords, but keep that information out of your username when creating that as well.

Including sensitive information in your social media and other online account usernames could inadvertently lead to identity theft. Do not put information such as your age in your username; an identity thief could use this information to derive your date of birth.

Similarly, don’t reveal to the public maiden names, locations of birth, or current addresses. (9/25/2020)

Cyberbullying is a crime

Cyberbullying isn’t something that just happens to school-aged children, or a matter for K-12 school officials. This type of bullying, also called online bullying, can happen to anyone, at any age who has an online presence. It is a crime and should be reported to local authorities. Whether it is happening to you, your child, your sibling or a friend, reporting it helps stop it.

Document everything and contact local authorities as well as school officials if it is happening in school. If a child is the victim of this type of crime, it also sends a message that they are protected and what is happening to them is wrong.

More information and resources can be found at and feel free to reach out to the Office of Cybersecurity at  (9/18/2020)

Test the Strength of your Password

This week’s tip is a reminder about using strong, easy to remember but hard to guess, passwords or passphrases. There is a site,, where you can test the strength of your password and how long it would take someone to guess it. Also, remember to use different passwords for every account. Reusing passwords makes it easy for someone to get into your entire life. (9/11/2020)

Limit who as access to your data

No matter if it is your personal data (information) or UTHSC data for which you are responsible, limit the access to sensitive data on a need to know basis. This will combat insider threats. Don’t send any data to someone who does not need to work with the data and is not authorized to do so. Periodically review who as access and remove those who don’t need it anymore.

If you wish to discuss insider threats, the classification of your data, or any other cybersecurity topic, contact the Office of Cybersecurity at


Use trusted vendors and their apps, rather than a link

Hackers have become very adept at spoofing vendor webpages. Always shop with trusted vendors and type in the web address
whenever possible instead of following a link. If you’re on your phone, download the vendor’s app from Google Play Store or
Apple’s App Store, and use the app instead of a link out to a browser window. (8/28/2020)

Email and Texting can be used to spread malware

As myself and MANY people I know got a text message on August 14 supposedly from AT&T about an “unsuccessful payment”, this week’s tip is a reminder that messages sent through email and instant messaging (IM) services may link to malware or viruses. You should avoid clicking on links or installing files that you receive through these services – even something that looks like a document or an image may be unsafe, especially if it comes from an unknown sender.

If you have any questions about any message you receive regarding UTHSC, don’t hesitate to forward that to for examination.  (8/21/2020)

Virtual Conferencing – remain vigilant!

This week’s tip is one we’ve talked about before, and keep reminding people about, because we keep getting advisories from different agencies and groups that virtual conferences are still being hacked and used to get personal information from attendees. SANS, a reputable security awareness organization, has published a newsletter with tips on safely conducting conferences, no matter the platform.  (8/14/2020)

Confidentiality and Telehealth

This week’s tip is a direct response to a question asked to our Chief Information Security Officer (CISO), Dennis Leber regarding the use of teletherapy and the confidentiality of those sessions. Whether you are in a clinic setting or not, you may have personally thought about visiting the doctor online instead of in person. The platform used in these sessions matter.

Q. Will [my clinic] be able to do FaceTime or GoogleDuo for the telehealth sessions?

A. What seems like a question with an easy answer is not so simple. Under the current declared pandemic, FaceTime and Duo are allowed by exception from HHS to utilize as a last resort to provide teletheraphy, telehealth, telemedicine, etc. This also pertains to the University’s Zoom accounts, the current Zoom accounts are not HIPAA compliant.

However; the use of our current Zoom is appropriate under direction of HHS due to the pandemic to provide services to patients that cannot be served otherwise. I recommend the use of Teams; that solution has a Business Associates Agreement (BAA) in place and the security of that solution present a lower risk to violating a patient’s privacy and security.

There is more to HIPAA than “compliant” software; one of the most overlooked items is, who has access to the patient data. When evaluating anything as HIPAA compliant this must be the paramount consideration.

Zoom was not developed, nor originally intended for Healthcare, nor telehealth.  Zoom’s intent is/was to provide a mechanism to enable business meetings. There are no original features of Zoom that consider the security and privacy rules of HIPAA.

Zoom has recently; after exposure of misleading customers of their privacy and encryption failures, developed a Healthcare version of Zoom.

With that said; We are under an exception, due to the National Pandemic. That declaration provides discretion from the Office of Civil Rights (OCR) in the levy of fines for use of non-HIPAA compliant solutions. Zoom is specifically called out as one of the non-compliant solutions. (link below to that announcement) Teams, Zoom Healthcare, and others are later listed as the compliant solutions that require a pairing of a BAA.

Health and Human Services (HHS) points out that due diligence must occur through this emergency exception to reduce the risk of exposure of patient data. The announcement also states providers must inform the patient that the use of a non-secure tool is utilized during their session.

We (UTHSC) are in the process of implementing sub-accounts for all our users that require HIPAA “compliant” Zoom sessions. This is still a few weeks out before available, but will be deemed a HIPAA compliant Zoom account. Announcements will precede the release of the solution. We have a few efforts in selection of telehealth solutions which serves all users requirements across our University so we may provide a standard telehealth product to the enterprise.  

Key items to consider:

  • The discretion by OCR is temporary, and focused on COVID-19 treatment
  • Use of Zoom under the exception forms expectations of its use and security to faculty and providers that will end. The exception must be utilized as a last resort, and after the risk are evaluated, to provide care to a patient; not the sweeping default,. The link above speaks to that
  • HIPAA protection goes beyond technology; it is truly the example of people, processes, and technology, in that order. It is paramount that people understand what constitutes HIPAA data, the processes in protecting that data, and if using technology, how all that ties together.
    • An example of current Zoom risk: a provider saves their patient’s information as contacts in their Zoom account – Your patient’s name, email address, phone number, address, etc. all fall under data you must protect. If you add your patients as contacts in Zoom, send them meeting invitations, or store any other patient PII in your zoom account, you could be violating HIPAA if you have not utilized a HIPAA “compliant” solution.
  • The BAA defines the controls in place that deem a solution must follow in regards to the technical controls spelled out by HHS –
  • We (UTHSC) are a covered entity; access to patient data is required in the course of doing one’s job. I refer back to the statement; consideration of who has access and why. Then protection of that data once we have control over it.

Let the Office of Cybersecurity know your questions. We are always available, and here to help enable you to accomplish your goals, and reduce the risk to your data from breaches. Willie Simon is the Deputy HIPAA Security Officer and leading efforts in the telehealth tool selection, and Melanie Burlison serves as the HIPAA Privacy Officer. You can reach out to any of us at anytime for your HIPAA and security needs. Also feel free to reach out to the Office of Cybersecurity at or 901.448.1880.  (8/7/2020)

Why Standardized Email Signatures are Important

UTHSC team, you may ask yourself why the Chief Information Security Officer is addressing email signatures. It is actually a simple and effective tool that aids in detection of phishing attacks. When all members of an organization follow the format of applying their email signature line consistently across the enterprise, then it serves as a quick visual check that an email may or may not be legitimate. 

Although it is easily duplicated by a nefarious actor; any deviation to the standard email signature format can serve as one more red flag that the email you received is a phishing attack. 

UTHSC does require a standardized email signature line. You can find a tool HERE (NETID and Password required) which formats this required email signature for you. For more tips on how to spot phishing emails, and how to report and respond to them, and other cybersecurity tips visit the Office of Cybersecurity webpage HERE. (7/31/2020)

Mother’s Maiden name can be used by identity theives. Keep it safe.

This week’s tip is a reminder about keeping all types of personal information safe. In addition to passwords and birthdays, your mother’s maiden name can also be used to steal your identity. A mother’s maiden
name has long been used as a verification question for financial accounts, and social media has made it so that maiden names are often displayed alongside married names. (7/24/2020)

Securing Home Devices

We have reminded you in the past about securing home networks and devices, especially during this time of working/studying remotely. But HOW?!?!?! The Center for Internet Security (CIS) has produced a 30-minute recorded webinar on tips for security small office and home networks. The webinar can be found at (7/17/2020)

Shredding Hardcopy PII Files

This week’s tip is a reminder to shred all hardcopy files containing personally identifying information (PII) before you dispose of them. Criminals often go through unguarded garbage cans and recycling bins in an attempt to find documents that contain personally
identifying information (PII).  They can use PII to steal people’s identities, such as of your fellow employees, fellow students, or the patients UTHSC serves. By shredding all hard copy files with PII before you put them in the trash or send them for recycling, you will prevent criminals from accessing confidential data. (7/10/2020)

Insider Threats

In this week’s tip, we talk about Insider Threat, which is a security risk that come from within an organization. While it can be, it doesn’t necessarily mean the threat is a disgruntled employee. It could be someone socially engineered to do a bad thing, or someone who as access to information they shouldn’t and doesn’t know how to protect it.

Why should we care? – According to the 2019 Verizon Data Bread Investigations Report, 34% of data breaches involve internal actors.

What can we do? – a lot of things!

  • Notice odd behavior in coworkers. Are they trying to violate policies or bypass security? Are they disgruntled?
  • If  you are a data or system owner, make sure that security controls are in place so that only the people who need access to the data have it, and only at the level they need to do their job (least privilege).
  • Monitor access to your data.
  • Train staff to adopt a data security mindset.

So now you are thinking about our campus and organization. Think beyond that.

What if the insider threat was to your family and your child is the one being socially engineered to give away a password or access to the “home” computer that has banking information on it?

What if the insider threat was a member of your church committee that has access to funds to help your charity organizations?

If you want to have a deeper discussion about insider threats or any other cybersecurity topic, please reach out to the Office of Cybersecurity at or 901.448.1880. We’d love to talk with you and your group. (7/2/2020)

Virtual Conferencing Platform Security Tips

This week’s tip comes from the Center for Internet Security (CIS) and takes a broader look at securing conferencing applications, no matter which one you use. The majority of security issues have a lot to do with the users’ familiarity with the applications and their proper usage. First to remember is to download an application for a reputable source (we tell you this with any application). If using Microsoft Teams, make sure you are using your UTHSC O365 account.

The entire article can be found at CIS’s website,


Internet Safety for Kids

As a center for higher education, we tend to talk more about tips regarding the workplace. However, we all have family and friends with kids who need to be taught safe ways to using the internet. We have found a lot of useful information; videos, articles and FAQs at this information security training site, Learn how to help kids online! (6/19/2020)

Reusing Passwords

This week’s tip is a reminder about how reusing passwords can get you into trouble. If you use the same password for different accounts, say for Instagram, your bank, UTHSC, and Amazon, if one of those organizations gets hacked and your credentials exposed, all someone would need to do is start searching for that same email address at different sites and plug in that password to gain access.

This week, we were notified that the Chronicle of Higher Education potentially was hacked and 3.5M members credentials were exposed. For UTHSC, that was 129 email addresses. Dennis Leber, our Chief Information Security Officer (CISO), advised those individuals and recommended directly to them to change the password for that site and whatever other sites with whom they might have used the same password.

Stay safe everyone! And make really strong, fun passwords! (6/12/2020)

Maintaining a Cyber Secure Home


In the past, building a home network was nothing more than installing a wireless router and several computers. Today, as so many of us are working, connecting, or learning from home, we have to pay more attention to creating a strong cyber secure home. Here are four simple steps to do just that.

Your Wireless Network

Almost every home network starts with a wireless (or Wi-Fi) network. This is what enables your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. They both work the same way: by broadcasting wireless signals which allow the devices in your house to connect to the Internet. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it.

  1. Change the default administrator password to your Internet router or wireless access point, whichever is controlling your wireless network. The administrator account is what allows you to configure the settings for your wireless network.
  2. Ensure that only devices you trust can connect to your wireless network. Do this by enabling strong security. Doing so requires a password to connect to your home network and encrypts online activities once connected.
  3. Ensure the password used to connect to your wireless network is a strong password that is different from the administrator password. Remember, your devices store passwords, so you only need to enter the password once for each device.

If you’re not sure how to do these steps, check your Internet Service Provider’s website or check the website of the vendor for your router or wireless access point.


Use a strong, unique password for each of your devices and online accounts. The key words here are strong and unique. The longer your password the stronger it is. Try using a series of words that are easy to remember, such as sunshine-doughnuts-happy.

A unique password means using a different password for each device and online account. Use a password manager to remember all those strong passwords, which is a security program that securely stores all your passwords for you in an encrypted, virtual safe.

Additionally, enable two-step verification whenever available, especially for your online accounts. It uses your password, but also adds a second authentication step, such as a code sent to your smartphone or an app on your smartphone that generates the code for you. This is probably the most important step you can take, and it’s much easier than you think.

Your Devices

The next step is knowing what devices are connected to your wireless home network and making sure all of those devices are trusted and secure. This used to be simple when you had just a computer. However, today almost anything can connect to your home network, including your smartphones, TVs, gaming consoles, baby monitors, printers, speakers, or perhaps even your car. Once you have identified all the devices on your home network, ensure that each of them is secure. The best way to do this is to change any default passwords on them and enable automatic updating wherever possible.


Sometimes, no matter how careful you are, you may be hacked. If that is the case, often the only way you can recover your personal information is to restore from a backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most mobile devices support automatic backups to the Cloud. For most computers, you may have to purchase some type of backup software or service, which are relatively low-priced and simple to use.


Shopping Online Securely

I bet we’ve all increased our online shopping in the past few months. When you restrict going out, the internet is the way to shop. This week’s tip is a reminder that when shopping online, use credit cards instead of debit cards. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit cards are even more secure. (5/29/2020)


Phishing Currently in Use and What to Expect

We’ve mentioned COVID-19 phishing email and scams a few times in the past months, but the vast numbers of these attacks makes it necessary to remind as many people as we can of these scams. There has been an estimated 192,000 coronavirus-related phishing attacks per week over the past three weeks.

Also in the past three weeks, almost 20,000 new coroavirus-related web addresses were registered. An estimated 17% of them are fraudulent, malicious or suspicious.

What’s next for these phishers? Mortgage rescue scams and help with bills in general. With the “new normal” of government assistance, phishers have been designing campaigns to lure people by pretending to be banks, other lenders, or different government agencies offering to help out with bills, debt reduction and specifically mortgage help, as that is usually the largest purchase an individual makes.

Be on the lookout for the scams.  Remember the first principle of spotting a phish – if something looks like it is too good to be true, it probably is.

If you have any questions about emails received to your UTHSC account, forward them to  We’ll let you know if they are a phish, scam, or a legitimate email.  If it is a scam, you are probably not the only one that got it.  After it is reported, we can take steps to stop it reaching others in our community.


World Password Day 2020!

This one may not have been on your radar, but the first Thursday in May is WORLD PASSWORD DAY! Take this time to think about the passwords you use, and when was the last time you reviewed them.

* A strong password should be a combination of characters such as commas, per cent signs, parentheses, upper-case letters, lower-case letters and numbers.

* Make your password as long as possible, to make it extremely tedious for a brute force attacker to crack your password. (Note, passwords of around three letters take less than a second to crack)

* Do not use a word that would be in the dictionary or letters that are sequential on a keyboard. If your passphrase does not make any sense then it harder to crack.

* First write up a random passphrase and then going letter by letter keep adding either a upper-case letter, a number or a symbol.

Do not use obvious details like your name, date of birth, place where you live in the password. All of that can easily be discovered online.

*Enable two-factor authentication. This will help you even if your password gets compromised, as the hacker would need your smartphone to gain access.

*Do not keep one password for all your accounts, as it will become the master key to your life, which if lost, will have serious consequences.


Stay one step ahead of thieves: devote a single credit card for online purchases to minimize your risk

As we are becoming more and more comfortable with online shopping, this week’s tip is an idea on how to minimize your risk when doing so. If you have more than one credit card, it might be tempting to use them all when you are shopping online at different sites. However, it’s prudent to designate one credit card for all your internet transactions.  That way, if an organization you’re buying items from is attacked by hackers, you will only need to report one credit card stolen to your financial institution and you’ll easily know which of your credit cards is affected. Additionally, you’ll still be able to use your other credit cards to purchase vitally needed goods and services while you await replacement of the stolen card. (5/1/2020)

Sharing Personal Information Helps Scam Artists

This week’s tip is a reminder about sharing personal information in social media. In this time of social distancing, we’ve been drawn to social media to stay connected. We are encouraged to share information about ourselves like pets’ names, the types of cars we own, and mothers’ maiden names, which are goldmines for criminals seeking answers to account security questions.

Even if you haven’t used personal information for security questions, sharing excessive information about yourself can allow attackers to craft targeted social engineering attacks against you.

People like to share things about themselves online for the same reasons they like to talk about themselves in real life. On the Internet, however, this information is potentially available to anyone in the world. Even if your profile information is only visible to people you’ve added as friends, there are many ways it could still end up on the open internet.

So if you get one of those “This looks like fun to learn more about each other” questionnaires, here are the answers to use:

  • First job – Stop
  • Current job – Sending
  • Dream job – Your
  • Favorite food – Potential
  • Favorite dog – Passwords
  • Favorite footwear – Or
  • Favorite chocolate bar – Memorable 
  • Favorite ice cream flavor – Data
  • Your vehicle color – To
  • Favorite holiday – People
  • Night owl or early bird? – Who 
  • Favorite day of the week – Collect
  • Tattoos? – This
  • Favorite color – For
  • Mother’s maiden name – Social
  • Father’s middle name –  Engineering

(Your mother’s maiden name better not be Social!)


Securing that Home Network

This week’s tip is about your home network and ALLLLLLLL the devices that are on that network. While we tend to concentrate on UTHSC information, with a majority of our campus studying and working from home, take a moment to think about your home network and how to keep it safe.

The three top things you can do to secure your home network are:

  1. change your device’s default password. Whether it is a router, gateway, or whatever name your internet provider uses, if you haven’t changed the password on it, then it is already known outside of your home. 
  2. keep the software up-to-date. 
  3. if you don’t use the remote access feature, disable it. 

Think about all the devices that are on your network right now. Not just the computer you are using right now, how about the computers of all the family members stuck inside with you.  Their mobile devices (smart phones, kindles, watches, etc.).  How about smart appliances, such as your TV or refrigerator? Gaming platforms? Baby or pet cameras?  There are probably more devices on your network that you think. 

Check those privacy settings on that router or gateway and do your best to keep your information and devices private. 


Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many hacked organizations, cyber criminals simply purchase databases with personal information on millions of people, then use that information to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number or birth date in it does not mean it is legitimate.

Forward any suspicious scam to


Tips for Working Remote – Secure your Zoom Meetings

Meeting Settings:

  • Enable Require a password when scheduling new meetings or webinars through the Meeting tab of your Settings. Participants will then be required to enter a password to join the meeting. See Meeting and Webinar Passwords for more information.
  • Send participants to the Waiting Room. (Meetings only) Only the host can allow participants in the Waiting Room into the live meeting. See Waiting Room for more information.
  • Disable Join before hosts to ensure participants are not able to join the meeting before the host arrives. See Scheduling meetings for more information.
  • Disable In Meeting Chat through your Profile settings. Here you can toggle off allowing participants to chat. This is also where you can prevent users from saving chat. See Disabling In-Meeting Chat for more information.
  • Ensure only hosts can share their screen through Settings by un-checking Participants under Who can Share? See Managing participants in a meeting for more information. This is on by default.
  • Disable File Transfer in Settings, which will ensure participants are not allowed to share files in the in-meeting chat during the meeting. See In-Meeting File Transfer for more information.
  • Stop a participants video stream to ensure participants are not on video through Manage Participants. See Managing participants in a meeting for more information.
  • Click to Mask phone numbers in the participant list through the Telephone tab in Settings. This masks all telephone numbers called into the meeting.

Settings when scheduling your meeting or webinar:

  • Mute all participants that are already in the meeting and new participants joining the meeting through Manage Participants. You will be asked to confirm if you’d like to allow participants to unmute themselves. You can choose to uncheck this option. See Mute All And Unmute All for more information.
  • Lock your meeting allows hosts to lock the meeting right at the start (or when enough attendees have joined). At the point a meeting is locked, no other participants are able to join the meeting. See Can I Restrict My Meeting Capacity for more information.
  • Put participants On Hold through Manage Participants while in a meeting. When a user is put on hold, they will be taken out of the meeting until the host clicks to take the user off hold. See Attendee On Hold for more information.
  • Disable private chat through Manage Participants. This prohibits participants from private chatting with other participants. See In-Meeting Chat for more information. (04/03/20)

Cybersecurity – Why you Don’t Click on Links with “COVID”, “Corona” or “Vaccine” in them

It is pretty well known that you shouldn’t click on links in emails or what you find on social media. However, especially now when we are looking for the latest info about COVID-19, it is hard not to.

In one day alone in early March, registration for sites with “corona”, “covid”, or “vaccine” was over 800! Some were real sites, but some were not. Read more to read a real life example of a phish.

Stay safe (and healthy)! (04/01/20)

COVID-19 Phishing Scams

We have mentioned this before, but there continues to be a rise in phishing attacks and social engineering schemes using everyone’s concern about COVID-19. People will contact you posing as staff looking to gain access to our network. Fake COVID-19 websites are everyone, with the intent of downloading malware if you visit them. If in doubt, error on the side of caution and safety.


Tips for Working Remote – Default passwords on home routers

In this world of telecommuting, ensure your home router is not using the default out-of-the-box username and password. Are you still using the username and password that on a sticker on the side of the router? A quick Google search can help with steps to change your password. If you need help, contact your Internet provider.


Tips for Working Remote – using your own device

As many of our workforce and most of our student population have moved to working from home, we will be highlighting some tips that can be found on our working remote resource page,

If you are using your home computer, make sure you have a password on it. Make a separate account for UTHSC work and don’t share that password with others who live with you.


Cybersecurity Fun (and Informative) Videos

The National Cyber Security Alliance has teamed up with sponsors to create some fun videos on potential security treats and best practices on different topics. This month’s topic is about what can happen if your laptop is stolen. The two minute video can be found on the Information Security webpage, along with the two previous videos.


Learning / Working Remotely

In our new normal, many organizations are giving suggestions on the best way to “telecommute” or work remotely or learn online. NIST (National Institue of Standards and Technology) has a good link that is user friendly:

Remember to continue to be cysbersecurity conscious. Know your surroundings. Know that scammers are out there. Lock your computer when not in use. Many of our applications are web based and do not need a VPN to gain access. DUO (2-factor authentication) is used to protect many applications now.

Stay safe (and healthy)! (03/20/20)

Defending against COVID-19 Cyber Scams

Cybersecurity and Infrastructure Security Agency (CISA)

Defending Against COVID-19 Cyber Scams

The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.

CISA encourages individuals to remain vigilant and take the following precautions.

Slam the SCAM

From the Office of the Inspector General, Social Security Administration


The Inspector General of Social Security, Gail S. Ennis, has designated a National “Slam the Scam” Day to warn Americans about widespread phone scams where callers impersonate government officials, most often Social Security, to gain your trust and steal your money. This is a National Consumer Protection Week initiative.

News Release: Inspector General Announces National “Slam the Scam” Day

On Thursday, March 5 at 11 a.m. ET, AARP will release a webinar with a consumer protection message from the Federal Trade Commission and colleagues from Medicare, the Internal Revenue Service, the Census Bureau, and SSA. During this webinar, you will learn how to recognize, report and keep you and your loved ones safe from government imposter scams. You can register for the event.

Also on Thursday at 11 a.m., we will be on Twitter with @USAgov participating in a #SlamTheScam chat, followed by a 1 p.m. ET Spanish-language chat hosted by @USAgovespanol. Please use #SlamTheScam when you tweet about phone scams to help us trend on Twitter and help spread the word. Then, at 7 p.m., we will be on Facebook Live with Social Security, to answer your questions and deliver our key messages:

  • HANG UP on phone scams
  • TELL your friends and family

Let’s SLAM phone scams together!

Please follow us on Facebook and Twitter for news about National Slam the Scam Day Events!


Email scams happen to everyone

Did you hear this week about Shark Tank judge, Barbara Corcoran, losing close to $400,000 in a phish? It really can happen to anyone! This week’s tip is a reminder on how to spot phishy emails. Is someone asking you to do something against policy or outside of normal practices? Do you know the sender and can verify the email address is theirs?

At UTHSC, external emails contain [Ext] in the subject line if it is coming from an outside source. Use this reminder if an email looks like it is coming from a coworker, supervisor or professor. It is probably not from them, no matter what the name says.

Is the sender asking you for personal information? If so, use another way of communication to verify they sent the email. Go old school and call them on the phone. HOWEVER, don’t use the phone number they provide in the email! Use a phone number that you already have or can obtain from a reputable source.

Don’t click on a link in an email unless you verify the source and know where you are going to end up. Hover over the link, or with mobile devices, press and hold the link to see the actual URL. Read the URL carefully. Make sure it is going to and not You might have caught the 3 instead of the “e”, but did you catch that the “o” in “of” was a zero?

If you receive any suspicious emails, forward them to we can advise you if they are from a credible source or a scam.

Any questions about phishing or any other Information Security topic, please reach out to your Information Security Team at or 901.448.1880. (02/28/20)

Coronavirus-themed Spam Spreads Malware

Cyber Threat Actors Expected to Leverage Coronavirus Outbreak

February 2020 Volume 15 Issue 2
From the desk of Thomas F. Duffy, MS-ISAC Chair

Cyber threat actors (CTA) leverage interest during public health threats and other high-profile events in order to conduct financial fraud and disseminate malware. We expect that this trend will continue with the emergence of new and recycled scams involving financial fraud and malware related to the coronavirus outbreak.

Malicious actors are likely to post links to fake charities and fraudulent websites that solicit donations for relief efforts or deliver malware. The MS-ISAC observed similar scams and malware dissemination campaigns in response to previous high-profile events including Hurricane Harvey, the Boston Marathon bombing, the Royal Wedding, and the Tennessee wildfires. Its highly likely that more scams and malware will follow over the course of the response period. Internet users should exercise caution before opening related emails, clicking links, visiting websites, or making donations to coronavirus relief efforts.

Warning Signs

As of February 1, 2020, the MS-ISAC had observed the registration of names containing the phrase “coronavirus.” The majority of these new domains include a combination of the words “help,” “relief,” “victims,” and “recover.” Most of the domains appear to be currently under development. However, as a few appear malicious and the domains themselves appear suspect, these domains should be viewed with caution. More domain registrations related to the coronavirus are likely to follow in the coming days.

The potential of misinformation during times of high-profile global events and public health threats is high and users should verify information before trusting or reacting to posts seen on social media. Malicious actors often use social media to post false information or links to malicious websites. The MS-ISAC observed similar tactics in the days following Hurricane Irma’s landfall and other natural disasters.

It is likely that CTAs will also capitalize on the outbreak to send phishing emails with links to malicious websites advertising relevant information. It is possible these websites will contain malware or be phishing websites requesting login credentials. Other malicious spam will likely contain links to, or attachments with, embedded malware. Victims who click on links or open malicious attachments risk compromising their computer to malicious actors.

How to Avoid Being the Victim

The MS-ISAC recommends that users adhere to the following guidelines when reacting to high-profile events, including news associated with the coronavirus, and solicitations for donations:

  • Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source.
  • Be cautious of emails or websites that claim to provide information, pictures, and videos.
  • Do not open unsolicited (spam) emails or click on the links or attachments in those emails.
  • Never reveal personal or financial information in an email or to an untrusted website.
  • Do not go to an untrusted or unfamiliar website to view the event or information regarding it.
  • Malicious websites often imitate a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs .org).

The MS-ISAC recommends that technical administrators adhere to the following guidelines when reacting to and protecting their networks and users during high-profile events, including news associated with coronavirus:

  • Warn users of the threats associated with scams, phishing, and malware associated with high-profile events and train users about social engineering attempts.
  • Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall.
  • Flag emails from external sources with a warning banner.
  • Implement DMARC to filter out spoofed emails.


How to Make a Strong Password

With the initiative announced this week for everyone on campus to change their password, why not make it a strong one? Newsweek published an article last Saturday on 7 Tips to Create a Hack-Proof Password You’ll Actually Remember.

The article actually explains why it is so very important to have a strong, unique password. It needs to be memorable, but not personal (names of family members, pets, birth dates). The longer it is, the more complex and hard to guess. Never repeat or reuse passwords. All-in-all, lots of great information. (02/14/20)

Remove all Sensitive Data before Disposing of Devices

This week’s tip is a reminder that when you replace a computer, phone, tablet, etc., make sure you delete all sensitive data from the old device. It’s been a little over a month since you got your new electronic gadget for Christmas. You kept the old around “just in case”, but now you can throw it away. Digitally wipe it clean before you dispose of it.

If you are replace your computer or mobile device, it’s important to digitally wipe it clean before you dispose of it. Use a secure data deletion program and reformat hard drives and removable media to erase all traces of your information. You should also remember to clear the registry that contains much useful information. There are commercial products available to help you with this. (02/07/20)

Tax Identity Theft Awareness Week

Next week is Tax Identity Theft Awareness Week. What is tax identity theft? It is when someone uses your Social Security number to file a tax return in your name and steals your refund. With tax season now here, the FTC (Federal Trade Commission) is offering webinars and tips to fight against tax identity theft.

Tax Identity Theft Awareness Week is February 3-7. The Federal Trade Commission (FTC) Tax Identity Theft Awareness Week webpage will provide webinars and other resources from FTC and its partners throughout the week to help educate the public on how to protect against identity theft this tax season.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages taxpayers, businesses, and tax professionals to review the FTC announcement and the following resources for more information:

CISA’s Tip on Preventing and Responding to Identity Theft
FTC’s article on Tax-Related Identity Theft
Internal Revenue Service’s Taxpayer Guide to Identity Theft


Never share your passwords

This week’s tip is a reminder to never share you passwords. Not only is it against University policy, it is just a bad practice. A shared password is an unsecure password. Even if you trust an individual, never give them your password to any application. (01/24/20)


Create passwords that cannot be found in a dictionary or easily guessed.
If your password can be easily guessed, it weakens the security and might lead to a breach of your or UTHSC data. Don’t choose passwords that use names or special dates, like birthdays and anniversaries. Attackers search the social networking websites for personal details like these and try them as passwords. (01/10/20)

Secure New Internet-Connected Devices

During the holidays, internet-connected devices—also known as Internet of Things (IoT) devices—are popular gifts. These include smart cameras, smart TVs, watches, toys, phones, and tablets. Although this technology provides added convenience to our lives, it often requires that we share personal and financial information over the internet. The security of this information, and the security of these devices, is not guaranteed. For example, vendors often store personal information in databases, which may be vulnerable to cyberattacks or unintentionally exposed to the internet. Information breaches or leaks can enable malicious cyber actors to engage in identify theft and phishing scams.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users review CISA Tips on Securing the Internet of Things, Preventing and Responding to Identity Theft, and Avoiding Social Engineering and Phishing Attacks, as well as the following steps to make IoT devices more secure:

    • Use multi-factor authentication when available. Many manufacturers offer users the option to protect accounts with multi-factor authentication (MFA). MFA adds another layer of security and can significantly reduce the impact of a password compromise because the malicious cyber actor needs the other factor—often the user’s mobile phone—for authentication. See Supplementing Passwords for more information.
    • Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.
    • Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings—particularly security settings—and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
    • Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
    • Connect carefully. Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the internet is necessary. If it isn’t, disconnect. See Home Network Security for more information. (12/31/19)

Stay on Top of Your Information

In this day and age, you need to know what information about you is out there and being used by others. One way of checking to see if your email address has been part of a breach is to use a monitoring service. One of these is Entering your email address will show if it has been part of a breach and what information might be compromised.

If you see your email address has being part of a breach, and you haven’t changed your password since the date of the breach, CHANGE YOUR PASSWORD on that account. Continually monitoring online activity is the best way of making sure your information is protected. (12/20/19)

What is SMiShing?

SMiShing involves text messages sent to you in an attempt to get you to visit a link or send personal or confidential data to the sender. The text message may claim to be from your cell phone provider and request your payment information, or may prompt you to click on a link and fill out a form to gain access to a prize. You should delete any unsolicited text messages; they are almost always attempts to gain personal or confidential data from you. (12/13/19)

Links Can Be Misleading - Take Another Look

Don’t just click on links that you have received through email or instant messenger. Even if the link text looks like a URL, the link could be going somewhere else. Instead, move your mouse pointer over the link without clicking on it. Look at where the link is going in the status bar. If the link is not going where it should be or is pointing to a file (such as a .exe), don’t click on the link. (12/06/19)

Delivery Phishing Scams

Holiday season is here, and we are all shopping more and more online. Scammers know that, and send out phishing emails letting you “track your packages” or “monitor your deliveries.”  DO NOT CLICK ON LINKS IN EMAILS! If you have had something shipped and wish to track it, go directly to the website where you purchased your items and track the package there. Don’t trust those email links! (11/27/19)

Report if you think you are a victim

Many phishing attacks can be quite convincing and you may not realize that you have fallen victim to one until too late. If you feel that you may have accidentally given out sensitive or confidential data, you should immediately contact the Helpdesk or IT Security. They will be able to determine whether the email or call you received was legitimate.

IT Security can be reached at or 901.448.1880.

Contact information for the ITS Helpdesk is at

It is much easier to investigate and contain an incident that happened 30 minutes ago, compared to 30 days ago! (11/22/19)

Suspicious calls or emails

If you are suspicious about a call or an email you receive, report it to IT Security. Anyone can contact you asking for information or to complete a task. If you believe that someone is attempting to get sensitive information that could lead to a security breach or lost revenue for you, report the contact to We can let you know if the incident is legitimate and try to stop is from happening to others on campus. (11/15/19)

Fun Video about Passwords

The National Cyber Security Alliance has teamed up with sponsors to create some fun videos on potential security treats and best practices on different topics. They will be released every couple of months.

The first video can be found at

Don’t forget to read the article underneath the video for some best practices on passwords! (11/08/19)

Keep your Laptops and Mobile Devices Safe

You should always secure your mobile device or laptop, especially when traveling or in an unfamiliar area. Your mobile device or laptop may have sensitive personal information on it. Never bring a device that contains work information anywhere if it isn’t necessary, and always keep an eye on your mobile device or laptop. Encrypt the data on your device or laptop, and ensure that it is password protected. If using a laptop for a long time in a single location, use a cable lock to ensure physical security. (11/01/19)

Encrypted Email – You Can Use It!

This week’s tip is a reminder that you have the ability to send sensitive information via email by encrypting the email. Any data considered Confidential and/or Classified (such as data covered by HIPPA and FERPA) should be encrypted if sent via electronic mail. Just type the work “encrypt” in the subject line when sending from your UTHSC email account on campus.

Use of the UT Vault is also a secure way of sending information.

The Email Best Practices policy can be found here: Specific information about email encryption can be found in section 1.f.

All UTHSC policies, standards and practices can be found here:

Stay safe and keep your information safe also! (10/25/19)

Beware of a Gift Card Scam on Campus

Have you received an email recently from your “dean”, “department head” or another authority figure asking if you are available to help them? This is a new attempt at the gift card scheme. Phishers are using gmail accounts, but spoofing the name of representatives from our campus, so at first glance it appears as if it coming from them.

The email usually just asks if you are available. If you are nice enough to respond, they will tell you that they are away from campus “in a conference where they don’t have access to their UTHSC email”, and ask you to purchase gift cards with a promise of reimbursement when they get back.

We’ve seen the request for a present for a family member or to cheer up cancer patients. This is all a scheme. What they are hoping you will do is purchase the cards, scratch off the identifying number on the back and then text the information to the scammer (since they don’t have access to their email – they give out a phone number to text the information to).

Here’s what to do to protect yourself for this and all emails.

  • Look at the email address of the sender, not just the display name. Is it someone you know?
  • Are you expecting the email from the sender?
  • Is there a sense of urgency, meaning they need it done within a certain amount of time?

Stay safe out there. Any suspicious email should be forwarded to for examination. We will let you know if it is valid or not.  (10/18/19)

Beware of Accepting Free or Found USB Flash Drives

Beware of accepting free or found USB flash drives. They may contain viruses and/or malware that can compromise your computer.

We’re accustomed to getting free promotional items, such as t-shirts or coffee mugs with company logos on them through the mail and at trade shows. Think twice before accepting a USB flash drive as a gift or using a flash drive that you’ve found in some random location. Criminals often put viruses and malware on USB drives and leave them around, hoping victims will pick them up and use them in their computers.

Protect UTHSC’s network and your computer by avoiding mysterious found or “gift” USB drives. (10/18/19)


This week’s tip is a phishing quiz. Google had put together a quiz where you have to know (guess) if an email is a phish or real. It will ask you to make up a name and email address. Use fake information. It is only wanting to show how phishers can personalize fake emails. The quiz can be found at

Some of them are real. You have to know your stuff! (05/17/19)

Pirated Software

This week’s tip is about the dangers of pirated software. You may think you are getting “a great deal” by buying non-licensed software, but there are hidden costs.

Many pirated copies of software contain malware that can infect your computer.

What you purchased may not even work. Most software companies have implemented a way of checking the registration.

This type of software also does not receive security updates, leaving your computer vulnerable to exploitation.

And then there is legal issues. Legally, you are basically denying the developer their legal compensation for the use of their software. Computer piracy is illegal. There are stiff penalties for breaking the law.

Be smart – only use licensed software to conduct UTHSC or your personal business. (05/10/19)


This week’s tip is a recommendation to turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (05/03/19)

Email Attachments

This week’s tip is a reminder to use caution when opening email attachments.

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/26/19)

Notre Dame Email Scams

This week’s tip comes a couple of days early, as we have been advised by multiple security organizations and agencies about scams around the Notre Dame Cathedral burning. Usually the scammers come out when a national or international event has taken place. If you wish do donate to this or any cause, make sure your donation is going to a reputable agency or organization.

Bad guys are exploiting the recent fire at the Notre Dame Cathedral in Paris. There are fake Facebook pages, tweets are going out with misinformation and fake charity websites are soon to follow. Bad guys are going to try to shock you and manipulate you into doing something in their interest. 

Don’t fall for any scams, and do not click on any links in emails, texts or social media. Whatever you see in the coming weeks about Notre Dame… THINK BEFORE YOU CLICK. (04/18/19)

Encrypting Mobile Devices

This week’s tip is about encrypting mobile devices. Data that is not encrypted on a mobile device could be easily accessed if the device is lost or stolen. If you need to keep sensitive data on your mobile device and have authorization to do so, password protect the device and consider encrypting the data.

Full device encryption for Android devices / Apple devices. (04/12/19)

Beware of Phone Scams

This week’s tip is a reminder that not all sneaky, phishing attacks come through email. More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It’s most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you. (04/05/19)

Clues You've Been Hacked

This week, instead of a tip, we have clues to recognize if you have been hacked. Staying vigilant about your information and your privacy settings is the best way of keeping you safe.

Some of the most common indicators that you may have been include the following: Your friends tell you that they have received odd emails or messages from you, messages you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. You receive a pop-up message informing you that the files on your computer have been encrypted and you must pay a ransom to recover them. (03/29/19)

Facebook and Your Password

With the announcement this week that Facebook stored millions of user’s passwords in plain text (not encrypted, easily read), this week’s tip is about passwords and social media. Enabling two-factor authentication on any account you have helps protect your information, even with social media. Also — change your Facebook password and update your privacy settings.

You can Google “Facebook Passwords” and get many articles about the recent disclosure. Here is one:

Basic Facebook privacy settings can be found here: (03/22/19)

Two-Factor Authentication (2FA)

No one calls signing in with a password “single-factor authentication”, but that is what it is. You use only one way of proving you are who you say you are for whatever system you are logging into, whether your O365 account at UTHSC, or Facebook, or your bank.

A more secure way of logging in is two-factor authentication.  This means that you use two differentmethods to prove who you are.

When using 2FA, you have to use two out of three methods to prove yourself:

  • Something you know (password)
  • Something you have (smart phone)
  • Something you are (biometric scan, i.e. fingerprint)

Actually, 2FA is already on campus. If you’ve ever been a member of the fitness center (located in the SAC) you use 2FA. To get in, you have to type out your employee or student number (something you know), then place your right hand on a scanner (something you are). Both are needed to gain access.

2FA is a security measure.  With 2FA, even if someone steals or guesses your password, without your smart phone verifying you are who you say you are, they can’t get into your account. When you log into an application that requires 2FA, a notification will appear on your phone asking your to either accept or deny access.

More communication on how we are going to implement this new feature will be coming. We hope everyone will use their smart phone as a verification source, but if you do not have a smart phone, we will have another way for you to use 2FA. (03/15/19)

Review Your Statements!

This week’s tip is a reminder to review your bank, credit card and any financial statements regularly to check for unauthorized activity. Also, if your bank or financial institution’s online banking does not offer/require two-factor authentication to log into your account, FIND ANOTHER BANK. 2FA is much more secure than just a password or PIN. (03/08/19)

Clues You've Been Hacked

This week’s tip is about some clues you should watch for to see if you’ve been hacked. Your friends tell you that they have received odd emails or messages from you, that you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. Stay vigilant! (03/01/19)

Social Media and Privacy

This week’s tip is a reminder about social media and privacy. Facebook, and other social media outlets, have been in the news because of investigations on how private they keep your data. Be mindful of your privacy settings on these applications. Make them as private as possible.
Also be aware of what you post, the site’s Terms and Conditions, and make a strong passphrase.
Awareness is the key! (02/22/19)

Mobile Device Data

This week’s tip is a reminder to back up your key data on mobile devices on a regular basis. Just as you must back up the data on your desktop or laptop computer in case of hard drive failure, loss, or theft, it’s equally important to back up the crucial data that you store on your mobile device. Otherwise, this data could be lost forever if your mobile device is lost, stolen, or suffers a hardware failure. Both Android and Apple have automatic backup options. (02/15/19)


This week’s tip is about passwords. The best password is a passphrase. Use as many characters as possible in your password. The longer it is, the harder it is for a hacker to guess. Make sure it is something you can remember though. Keep in mind that a good password is easy to remember, but hard to guess. (02/07/19)

Email Attachments

This week’s tip is a reminder to be cautious when opening email attachments. Cyber criminals will hack into people’s computers by sending emails with infected attachments. People are tricked into opening these attachments since they appear to come from someone they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.  (02/01/19)

Helpful Tools

This week’s tip is some helpful tools you can use to know some things about your online presence.

First, search yourself online. See what information is publicly available about you and your family.  This is as easy as using Google, Yahoo, Bing or any other search engine.  Type out your official given name, and any variations of your name (nicknames) that you are called. Check children’s, elderly parent’s or other family members that may not know how to search.

Second, test your passwords to see how strong they really are. You can Google “Password tester” or try this website, Here, you can type out any password or passphrase you use and see how quickly a bad guy could guess it.

Third, check your email addresses to see if they have been part of any data breaches. The website allows you to check any email address to see if that account as been compromised in a data breach. If so, it tells you in what breach they found that email address.

If, when researching, you find your email address is part of a breach that has happened since you last password reset, CHANGE YOUR PASSWORD on that account.

Any questions about using these tools, contact the Information Security Team at

Stay safe! (01/25/19)

Tax Season

With the W2s available, it is the official start of the tax season. Be aware that every year, there are those who want to scam you out of your return, pretend to be the IRS demanding back taxes, or steal your identity with your tax documents. Remember your Information Security Training about social engineering and phishing. Read more for a more detailed explanation and helpful resources.

It’s Tax season – Don’t be a victim!

ts tax season and soon, the W-2’s and associated forms will start circulating, which means we must be aware of tax scams. In past years, there have been three popular scams criminals have used that people fall victim too. The three scams include falsifying tax returns and filing them in a victim’s name, calling a victim and pretending to be Internal Revenue Service (IRS) agents and phishing e-mails.

Falsifying tax returns and filing them in a victim’s name can occur when a malicious actor finds or receives information about the tax filer, including the filer’s name, address, date of birth and Social Security number. The malicious actor then uses this information to file a malicious tax return, citing as many deductions as possible, in order to create the largest tax return possible.

Another scam occurs when the malicious actor contacts the victim and tries to convince the victim to do something, such as immediately paying a fine or providing their financial information so a refund can be issued. In these instances, the malicious actor uses what they know about the victim, often information gained for a data breach or social networking website, to convince the victim that the caller has access to the victim’s tax information. Frequently during these calls, the caller will pretend to be an IRS agent.

In the third type of tax scam, malicious actors use tax-related spam, phishing emails, and fraudulent websites to trick victims into providing login names, passwords, or additional information, which can be used in further fraud. Other emails or websites may also download malware to a person’s computer that may make them vulnerable to tax fraud.

Be Cautious

  • Watch for “spoofed” websites that look like the official website but are not.
  • Don’t be fooled by unsolicited calls. The IRS will never call to demand immediate payment or require you to use a specific payment method such as pre-loaded debit or credit cards, or wire transfers. They will never claim anything is “urgent” or due immediately, nor will they request payment over the phone. If you owe taxes, the IRS will first mail you a bill, before contacting you through another medium.
  • The IRS will not be hostile, insulting, or threatening, nor will they threaten to involve law enforcement in order to have you arrested or deported.
  • Sometimes malicious actors change their Caller ID to say they are the IRS. If you’re not sure, ask for the agent’s name, hang up, and call the IRS (or your state tax agency) back using a phone number from their official website.


If you believe you are the victim of identity theft or identity fraud, there are a couple of steps you should take:

  1. File a report with your local law enforcement agency.
  2. File a report with the Federal Trade Commission (FTC) at
  3. File a report with the three major credit bureaus and request a “fraud alert” for your account (Equifax –, Experian –, TransUnion –

If you receive spam or a phishing email about your taxes, do not click on the links or open any attachments, instead, forward the email to Other tax scams or frauds can be reported according to the directions on this IRS Suspected Tax Fraud web page.

This week’s tip comes from our friends in Knoxville, from the OIT’s IT Weekly Newsletter. (01/18/19)

Be Suspicious!

This week’s tip is a reminder to be suspicious of people you don’t know who ask for sensitive information. “Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers. Don’t fall for it!

Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information.  (01/14/19)

Securing New Devices

Three weeks ago, the tip of the week was about securing mobile devices when traveling during the holidays. But what if you got a NEW device as a gift? Did you get a new smart TV, phone, watch or toy? Do you know how to make a device more secure when you set it up? Here are some helpful tips hopefully you already have put in place, but if so!

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

Brought to you by US-CERT (United States Computer Emergency Readiness Team),  (01/04/19)

Online Shopping

This week’s tip will be the last one for this year. While hopefully you have completed your holiday shopping, this tip is a suggestion for shopping online.
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

Have a wonderful and safe holiday break. Remember to keep your information secure, not matter what form it takes.  (12/21/18)

Holiday Travel

This week’s tip is about securing your mobile devices during holiday travel. It comes from the United States Computer Emergency Readiness Team (US-CERT). There are a number of tips and explanations if you read more.

Know the risks

Your smartphone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smartphone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device’s Wi-Fi connection and use your mobile device’s cellular data internet connection instead of making the transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone’s open Bluetooth connection when you are not using it and steal personal information.

Be cautious when charging

Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software.

Don’t fall victim to phishing scams

If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from

For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices. (12/14/18)

Check the Sender

This week’s tip is about checking your email on mobile devices and finding out the sender’s actual email address. Most apps only show the “display name” of the sender on screen and not the email address with whom it is associated. However, if a friend or colleague’s name is spoofed, it looks like the email is from them. On most apps, you can click on, or press and hold on, the sender’s name in the email to see the details about the sender’s email address. If this doesn’t work, research how to see the email address for the specific app and device you are using. (12/07/18)

Protecting Against Identity Theft

As the holidays draw near, many consumers turn to the Internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan. (11/30/18)

Holiday Shopping

At this time of year, we cannot stress enough to be cautious in holiday shopping, whether online or in person. If shopping online, make sure the website is secure with an https:// or a lock icon by the URL field.

Don’t click on links wanting you to track your holiday packages. Go to the shipping site directly. Be aware of who is handling your credit card when it is not in your possession.

Lifelock has a good article on tips for online shopping. It can be found at

(Or search the Internet and find the article instead of clicking on a link!) (11/21/18)

National Fraud Day

November 11th, was Veterans Day. We want to take a moment to thank all Veterans for their service.

Yesterday was also National Fraud Day. Unfortunately, fraud is a worsening problem. According to Javelin Strategy & Research, there were 16.7 million victims of identity fraud in 2017, beating the previous year’s record high. The total cost of that identity theft was a staggering $16.8 billion, and nearly a third of US consumers had to be notified of some sort of breach (remember the Equifax breach? There’s a good chance that you were one of the 143 million people affected by it). Account takeovers also tripled in 2017, causing a total of $5.1 billion in damages. On an individual level, each victim paid an average of $290 out-of-pocket and spent 15 hours trying to resolve the fraud. Not the way I’d like to spend my spare time or money!

So how can we as consumers protect ourselves? Passwords are a great place to start. Of those that participated in the Consumer Fraud Awareness survey by Shred-It, half felt that their security practices made them vulnerable (49%) and admitted to reusing passwords and PINs (51%). Clearly, consumers understand that bad password habits make them vulnerable, but they don’t change these habits. Perhaps the thought of having a strong password for each online account is too daunting. If you feel that way, maybe a password manager is an option to consider. At the very least, make sure that your financial accounts have strong passwords, even if it requires a little extra effort to remember them. Another option is good old-fashioned pen and paper. While you don’t want to leave Post-it notes with your most sensitive passwords on every surface of your cubicle or office, writing down an important password and keeping it a fireproof lockbox is never a bad idea when the alternative is creating a weak password or reusing a password.

Finally, keep an eye on your accounts. You won’t be able to respond to an incident if you don’t know that it’s happened. Check your bank statements frequently and don’t forget that you’re entitled to one free credit check a year from each of the Big Three credit reporting agencies. If you spread these checks out throughout the year, you can check your credit at for free every few months to make sure that someone hasn’t stolen your identity and is opening up lines of credit in your name.

Article:   (11/16/18)


This week’s tip is a reminder that when you leave your seat, Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power. (11/02/18)

What is a Social Engineer?

This week’s tip is a reminder never to give out information without first verifying the identity of the person requesting it. A social engineer is a person who attempts to get confidential information purely through social skills, such as by calling and asking for passwords or other sensitive information. They will often claim to be a member of your organization or an organization that works directly with you, and may even know detailed information about your organization and your coworkers. Never give out information to anyone without verifying their identity first. Use a second means of communication to verify. The means that you shouldn’t reply to an email for verification but pick up a phone and call the requester, or go see them in person. (10/26/18)

Encrypt Sensitive Data

This week’s tip is a reminder to encrypt any sensitive data when stored and transmitted. This goes for internal emails also, not just information leaving the UTHSC system. The use of the vault ( is the best way to send confidential files quickly and securely. You can also encrypt emails by adding the word “encrypt” to the subject line of any email from the UTHSC domain.

More information about email encryption can be found at (10/19/18)

Lock Your Mobile Devices

This week’s tip is short and sweet. Lock your mobile devices. Every one of them. Make sure your family members are locking theirs also. Think of how many apps that have passwords that your phone or tablet automatically store so that you don’t sign in every time you launch the app. Think about how much information someone could get if they got your phone and could access all that data. (10/12/18)

IoT Devices

The world’s population in 7.2 billion people. There are 255 births globally per minute. What is growing faster than that population? The Internet of Things. By 2020, it is estimated that there will be almost 31 billion IoT devices. Each one of these devices that connect you to the internet is a way into your network and your information. Change the default password on all these devices!

These are your smartphones, your in-home monitoring devices, your doorbells, kitchen appliances, TVs, insulin pumps, heart monitors, lawn mowers (believe it or not!), tablets…..and the list goes on and on. (10/10/18)

National Cybersecurity Awareness Month is Here!

This week’s theme for National Cybersecurity Awaremenss Month is “Make your Home a Haven for Online Safety”. Our UTHSC community consists of members from every generation with different thoughts on technology. What we all have in common though, is a need for safety when using the internet, whether at home or at work.

Did you know that 48% of U.S. consumers intend to buy at least one smart home device in 2018? Privacy and security are of great concern when purchasing these devices. Everyone, no matter what generation, needs to continuously learn about and practice good cybersecurity at home .

Don’t be the weakest link!  Tips for staying safe online can be found at Stay Safe Online. (10/04/18)

USB Drives and Viruses

This week’s tip is a caution about USB drives. Remember the USB drives can carry viruses. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. Never plug in an unknown USB into your device. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place. (09/27/18)

Seriously - Never Share Your Password!

This week’s tip is a reminder to NEVER SHARE YOUR PASSWORD. If anyone is asking for your password, it is NOT for a legitimate reason. Your password is your gateway to whatever system you are accessing, whether it is a system on campus with your NetID, or your banking information, social media accounts, or other systems. Don’t give your access away. Keep your passwords private! (09/20/18)

Don't Click on Phishing Links

Because of the persistent phishing attempt that happened last Friday afternoon and over the weekend, this week’s tip is a reminder to not click on links in emails. While the phish was cleverly created, using a Subject line from a compromised account that was a current conversation, a hover over the link would have alerted everyone that it was not an Office 365 or Outlook message.

Take time before clicking on links to verify it is to a site you are expecting.  This attack was widespread because it was pretty clever. We have to be just a clever and vigilant!

If your account was compromised and you have yet to speak to the Information Security Team about the content of your UTHSC emails, please contact the team at 901-448-1880.  (09/14/18)

National Preparedness Month

September is National Preparedness Month. While this is usually thought of readiness for a natural disaster, the same is true about preparing for a cyber-related event, such as identity theft of ransomware attack.

People are encouraged to be prepared in case of a cyber-related event by regularly backing up files, keeping digital copies of important documents somewhere other than your computer (e.g., in the cloud), and regularly running antivirus scans.

Learn more about individual and family emergency preparedness at For additional resources on preparing for and responding to unexpected cyber-related events, see and the following NCICC (National Cybersecurity & Communications Integration Center) Tips:

Stay safe and prepared!  (09/07/18)

Don't Open Attachments

This week’s tip (reminder) is about not opening attachments in emails. If you are not expecting a document to be delivered to you, proceed with caution! Email is an easy gateway to your devices and information. Macros in word documents or PDFs can trigger things to happen that you aren’t even aware of. If you receive an attachment you are not expecting, contact the sender to ask about it. Don’t reply to the email, but use a second way of communication to verify. (08/31/18)

Change that Password

This week’s tip is to change you password immediately if you suspect that you have been compromised. This applies to your UTHSC NetID password, your banking accounts, social media accounts and everything else that is password protected. Also, NEVER use the same password for multiple accounts. Each account should have their own unique password. (08/24/18)

Just Don't Click!

This week’s tip is a reminder not to click on links in emails, even if it is from someone you supposedly know. UTHSC was hit hard this week with many people giving away their NetID passwords in a phishing scam. The phishers then used the Sent Items of those compromised accounts to pretend to “continue” a conversation, using the Subject line of a previous email, but asking the person to click on a link and sign in to read a message. This gave the bad people even more NetIDs and passwords to continue the phish.


  • Do not click on links in emails!!!!!
  • If you have concerns about an email, call the person and ask if it is legitimate. DO NOT reply to the email, as the bad people have control of the account. Use a second means of communication.
  • Hover over links in emails to see exactly where they want you to go.
  • Do not click on links in emails!!!!!
  • Report any suspicious emails to The quicker we know, the faster we can stop the attack.
  • Do not click on links in emails!!!!!

Stay safe out there in the cyber world!

For more information, or if you would like an Information Security Team member come talk to your group about this or any other InfoSec topic, contact the team at (08/17/18)

Password Protection and Reporting Suspicious Emails

Part One

You have been advised time and again not to share your password with anyone. That’s great! You know it and live it. But what happens when someone asks for it? You know not to give it out, but what do you say to this person (on the phone or in front of you)? You don’t what to be “rude,” you want to be accommodating, you are starting to stress because you don’t know how to respond.

Here is your response: “I have been told never to share my password with anyone. I will not give it to you.”  THE END

If they insist, simple repeat the script. It is all you need to say.

Part Two

This campus cannot be protected without the you the people. And yes, I mean you – each and every single one of you. It is so invaluable when a scam or phishing email is reported to As soon as it is reported, we go to work. If it is a link to a bad URL, we work with Networking to block the site so no one can get to it while on our network. If it is a wide-spread attack or a malicious download, we work with Systems to remove the email from everyone’s inbox so that no one has to even see it. Timeliness is the key. The sooner we know, the sooner we can act. Most of the time, the bad people don’t send the bad emails to us personally, so we don’t know about it until someone reports it.

So, the big, well deserved THANK YOU goes out to everyone who reports these phishes and scams to Your help is appreciated more than you know. We invite everyone to send in your suspicious emails. Even if you are unsure, forward to us. We’ll let you know if it is legitimate. Better safe than sorry (08/10/18)

Toolbar Downloads

This week’s tip is about those pesky toolbars that software downloads want you to load.  These usually come as a small check mark when downloading software (as a “free” install). These toolbars can be a nuisance or even malicious. Be cautious on what you download! (08/03/18)

Protect Your Personal Information

Companies you do business with should never ask for your account information, credit card numbers or password in an email. If you have any questions about an email you receive that supposedly came from your financial institution or service provider, contact them directly (not replying to the email) to verify. (07/27/18)

Tech Support Scams

The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. (07/20/18)

Use Care When Logging In

This week’s tip is a reminder to be careful WHERE you login. Don’t login to untrusted devices. A password is only as secure as the computer or network it is used on. As such, never log in to a sensitive account from a public computer, such as computers in a cyber cafe, hotel lobby or conference hall. (07/13/18)

Don't Click Links!

At least in unsolicited emails, that is.  Holiday weeks usually see a spike in phishing attempts, and this week was no exception. Did you get an email this week with a subject of “Thank you for your contribution” or “Termination Notice”? How about “Update Required!!” or “PART TIME JOB OPPORTUNITY”? (Got to love the ALL CAPS!). (07/06/18)

Managing Your Privacy Settings Online

You get great advise that you need to manage your privacy settings, but how do you go about doing that on each app that you have? The National Cyber Security Alliance has a great web page that gives clear instructions on how to manage your privacy settings for many common apps. (06/29/18)

Safety Awareness Month

Does anyone know what June is? It still is Internet Safety Awareness Month. This week’s tip is about malware, ransomware and botnets. Botnets? What are those? Can they hurt my devices? Educating yourself about what is out there that can harm you is half the battle of keeping safe. Learn more about it!

The National Cyber Security Alliance has an article about all of these issues.  They even have tip sheets that would be great for your office area, or your family members. (06/22/18)


These days, our digital devices contain vast amounts of data, from family photos and music collections to financial/health records and personal contacts. While convenient, storing all this information on a computer or mobile phone comes with the risk of being lost. Here's the entire article about the importance of backing it up! (06/15/18)

Shopping Online

Let’s talk about online shopping. There are many ways to stay safe online when you shop. The National Cyber Security Alliance has a comprehensive article about how to protect yourself when shopping online.  (06/08/18)

Internet Safety Month

June is Internet Safety Month, so all the tips this month will have the theme of Internet Safety. This week’s tip is about Spam and Phishing. Wait-isn’t that about emails?
While you would normally associate those attacks by receiving emails, they can come from other sources such as social media and other communications. And they most likely want you to access the internet to gain your information.

Here are some tips on how to avoid being a victim:

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Before sending or entering sensitive information online, check the security of the website.
  • Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • If you are unsure whether an email request is legitimate, forward the email to We can check it out, and if it is a malicious email, we can block the website so other campus members cannot click on the link.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

The National Cyber Security Alliance's full article about Spam and Phishing.

Stay safe in the world wide web! (06/01/18)

What is Malware?

Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (05/25/18)

Stow It!

Any time that you are staying somewhere away from home, protect your information by storing all devices as securely as possible. If there is no safe in your hotel room, ask the front desk if they have a general-purpose hotel safe that you can use. Otherwise, you should secure your items by locking them up in luggage whenever you are not using them. 05/18/18)


This week’s tip is about Bluetooth. When not in use, turn it off. Not only does this make it more secure, but it also saves battery life. (05/10/18)

Never Share Your Password

NEVER to give your password to anyone. Once it is no longer a secret, it is no longer secure. If anyone calls saying they are from the help desk or tech support team and asks for your password, they are not legitimate. It is someone trying to access your credentials.

Twitter announced yesterday that everyone with an account should change their password. It seems as if Twitter stored everyone’s password in an internal file that was not encrypted. While they claim that the password file was not breached or exposed in any way, they are recommending that every Twitter account user change their password. Might be a good time to update those privacy settings, too! (05/04/18)

Lock It Up!

When away from your devices, whether it is a quick trip to get a cup of coffee down the hall or going to a meeting, lock your devices so others cannot gain access. Leaving your seat? Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power.  (04/27/18)

Keep an Eye on Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/20/18)

Mobile Apps and Social Media

With an estimated 87 million Facebook user’s information disclosed, now is a great time to check your privacy settings on all social media accounts and mobile apps. Also, make sure that your mobile apps come from trusted sources. If an app is brand new, has few reviews or many negative reviews, then choose a different one. (04/13/18)

Review All Programs on your Devices

Decide if you still use them or if they can be removed. Outdated software and operation systems (OS) are unlocked doors into your information. Just like you clean out your refrigerator, pantry or closet in a timely manner, do the same to your electronic devices……all of them! (04/06/18)

Securely Disposing of Your Mobile Device

(by Heather Mahalik, Digital Forensics Expert)

There is most likely a tremendous amount of sensitive information on your mobile device.  Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to be sure you first erase all of that sensitive information. You may not realize it, but simply deleting data is not enough; it can easily be recovered using free tools found on the Internet.  Instead, you need to securely erase all the data on your device, which is called wiping. This actually overwrites the information, ensuring it cannot be recovered or rendering it unrecoverable. Remember, before you wipe all of your data, you most likely want to back it up first. This way, you can easily rebuild your new device.

The easiest way to securely wipe your device is use its “factory reset” function. This will return the device to the condition it was in when you first bought it. We have found that factory reset will provide the most secure and  simplest method for removing data from your mobile device. The factory reset function varies among devices; listed below are the steps for the two most popular devices:

Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
Android Devices: Settings | Privacy | Factory Data Reset
Unfortunately, removing personal data from Windows Phone devices is not as simple as a factory reset. More research is being conducted on methods to ensure your personal data is wiped from the device. If you still have questions about how to do a factory reset, check your owner’s manual or manufacturer’s website. Remember, simply deleting your personal data is not enough, as it can be easily recovered. (03/29/18)

Outlook's Preview Pane

Use Outlook’s preview pane to view attachments for credibility before opening. Don’t open attachments that you are not expecting, or from people you don’t know. (03/23/18)

Scams Specifically Designed for Universities and their Students

Arizona State University created a public service video using some pieces of an actual scam one of their international students recorded. The two minute video has some very good tips and advice. It can be found at

(Thank you Connie Childs from International Affairs for forwarding!  If you have a tip you would like to share or a topic you would like discussed in these weekly tips, please email Chris Madeksho, Information Security Coordinator, at (03/16/18)

Detecting Fraud

Review your bank, credit card and financial statements regularly to identify unauthorized activity. This is one of the most effective ways to quickly detect if your bank account, credit card or identity has been compromised. (03/09/18)

Protect Your Social Media

A strong password or passphrase is key to keeping your information private. Also, check the privacy settings to make sure that you are not sharing information you don’t want to. Last, use two-factor authentication whenever possible. (03/02/18)

Prevent Device Loss

According to the Verizon DBIR report, you are 100 times more likely to lose a laptop or mobile devices than have it stolen. When traveling, always double-check to make sure you have your mobile device with you, such as when leaving airport security, exiting your taxi or checking out of your hotel. (02/23/18)

Scams, Scams, Scams and more Scams!

This week’s tip is a reminder that there are always numerous scams where criminals are trying to social engineer you out of money or your personal information. They use whatever scheme that works.

Examples are calls/texts from the IRS stating you owe taxes.  How about a donation to help fund the Olympic team on their quest for gold? In the news this morning was the “Love Scam” where people are getting messages that someone has compromising pictures of them, or proof that they did inappropriate acts and will make the situation go away for just a little fee.

The Online Threat Alerts website keeps track of the latest online scams.

Stay safe everyone!  If something looks too good to be true, it probably is.  If you have any questions about an email, phone call or text message, don’t hesitate to contact the Information Security team at for help. (02/16/18)

Email Attachments

We’ve had a rash of phishing attempts on campus with attached “receipts” or “invoices” that need attention. If you are not expecting an invoice or a receipt for something you purchased, DO NOT OPEN THE ATTACHMENT. It is probably meant for malicious purposes. Send any questionable emails to (02/09/18)

Trust Your Instincts

Common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.  If you receive any such message, report it to  We can let you know if it is a legitimate message or if you are being phished.

Two of the modules in the Information Security Training is about Social Engineering and Email, Phishing and Messaging. These along with the other modules are helpful information for everyone personally.

Make sure you and your coworkers have completed the Information Security Training for the 2017-18 academic year. The information you receive is very much worth the 30-40 minutes of your time. (And it is required training.) (02/02/18)


Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (01/26/18)

Social Engineers

This week’s tip, from, is to be be suspicious of people you don’t know who ask for information.

“Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers.  Don’t fall for it!  Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information. (01/18/18)

Major News Events and Phishing

When a major news event happens, cyber criminals will take advantage of the incident and send phishing emails with a subject line related to the event. These phishing emails often include a link to malicious websites, an infected attachment or are a scam designed to trick you out of your money. (01/05/18)

Fradulent Emails

The FBI Internet Crime Complaint Center is warning consumers about a fraudulent email scam. The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyberattacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in financial loss you should contact your bank immediately.

If you unintentionally visited or encountered a site suspected of utilizing this scam, you may also report it to your local FBI Office and/or the Internet Crime Complaint Center (IC3): (12/22/17) 

Multi-factor Authentication

Multi-factor authentication is the practice of needing more than just a password to log into a system or application. It is one of the best ways to secure any account. Usually the second step is a code that is sent to an outside receiver, such as a cell phone. If you don’t have both the password and the pass code, you don’t get in. Many services, such as Google and Facebook allow a user to have two-factor authentication. (12/15/17) 

Don't Fall for It!

There are two prevalent holiday themed phishing schemes that happen this time every year. The most common is the email letting you “track your package” by clicking on a link. Don’t fall for it.  If you really are expecting a package, or get a notification about a delivery, go to the website from which you purchased the item and track your order from there.

The second phishing scheme that is gaining in popularity are fake shopping sites.  These are sites either found on social media or delivered via email, enticing you with a product that would make a great gift for a loved one. They want you to click on the link to go shopping, and the website might even look legit.  However, all they are wanting is your credit card and other personal information. Only go to trusted site to do any holiday, online shopping.

When shopping online, look for https:// in the URL or a green lock symbol to verify that the site you are on is secure. (12/08/17) 

National Tax Security Awareness Week

This week has been designated at National Tax Security Awareness Week. The IRS has been publishing tips and news releases all week to encourage both individual and business taxpayers to take steps to protect their tax data and identities in advance of the 2018 filing season. All their information can be found at (12/01/17) 

Shopping Tips

Be cautious of emails or texts you receive that look like they are from shipping companies wanting you to “track” a package. Do you click on links in emails?  NO!!!! Think if you even have a package to track. If so, go to the shipping company’s webpage to track it. Other holiday schemes seen every year are fake charities hoping to cash in on your generosity. Never respond to an email from a person you do not know.

Shopping online this season? Be careful about what personal and financial information you give away and to whom. Make sure that you are on a secure website (https://) or see the lock symbol next to the URL.

Also – think about what you are buying. Are you purchasing something that either you or the person receiving the gift will connect to the internet? Make sure it is secure.

There is an Online Holiday Shopping tip sheet from the National Cyber Security Alliance that can be found here: (11/22/17) 

Never Share Your Password

This week’s tip is a reminder NEVER to give your password to anyone. Once it is given out, it is no longer secure. The Help Desk will never ask for your password. If someone calls you and asks for your password while saying they are from the Help Desk or Tech Support team, it is an attacker attempting to gain access to your account.

Be cautious of anyone asking for personal or sensitive information if you are not completely sure of who they are. Just because they say they are from your bank, doctor’s office, or another trusted place, doesn’t mean that they really are.  Use another means of validating their request for information, such as visiting their website directly from a browser, or calling them directly (not from a phone number listed in an email). (11/17/17) 

You're the Weakest Link

This week’s tip is a reminder that you are the weakest link regarding the security of your information. You don’t have a firewall protecting what you say.

Sites have requirements on passwords (how long, special characters, etc.), but if you still use your name and your birthdate, bad guys can figure it out.

If you post everything about you online, bad guys will learn your habits, your family’s information, and who your best friend is. They can also find out when your entire family is on vacation and know when you will be out of your house for an entire week.  Why???  BECAUSE YOU TOLD THEM.

Be cautious about what you say, who you say it to, what you post online and what you receive in email or test messaging.

All this information is covered in this year’s Information Security Training, available now in Blackboard. (11/10/17) 

Clean Machine

Keep a clean machine. Cyber criminals frequently exploit vulnerabilities in old software for their attacks, which is why it is essential to regularly update the software on your Internet-connected devices (including PCs, smartphones, and tablets) to reduce the risk of infection from viruses and malware. (11/03/17) 

Share with Care

Share with care. Think before posting about yourself and others online. Once you post something publically, it can never be fully deleted, so use caution. Consider what a post reveals, who might see it, and how it could be perceived now and in the future. Remember that future job recruiters and employers will likely look at your social media history and online presence, so make sure that you maintain a good reputation online. (10/27/17)

Value it. Protect it.

Treat personal information like money. Value it. Protect it. Information about you, such as your purchase history and location, has value – just like money. Not all apps and websites are reputable, so it’s up to you to protect your data from being misused. Be sure to read privacy policies and know what information an app, device, or website will collect about you to determine if you really want to share such details. Always be cautious about who you give your information to online. Research an app or device manufacturer or read independent reviews of a website before you trust them. (10/19/17)

Own Your Online Presence

Control and limit who can see your information online by checking the privacy and security settings on your accounts and apps. Anything you post publicly could potentially be seen by a cyber criminal, so keep your personal information private. Your phone number, birthdate, address, and even pictures that show the license plate on your vehicle should not be posted publicly. You should also turn off geotagging and location features on your mobile devices so criminals don’t know where you are in real time. (10/13/17)

National Cyber Security Month

In conjunction with National Cyber Security Month, these weekly tips in October will be brought to you the Department of Homeland Security.

One small step can make a big difference in your online security. Each week during NCSAM, we’re sharing a quick and easy tip that you can try today to better protect yourself online.

Lock down your login. Usernames and passwords are often not enough to protect important accounts like email, banking, and social media. Fortify your accounts by enabling the strongest authentication tools available, such as multi-factor authentication for your online accounts and fingerprint identification and security keys to lock your mobile device.

The White House launched the “Lock Down Your Login” campaign to encourage all Americans to enable stronger authentication. Visit for more information. (10/05/17) 


Turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (09/29/17)

Email Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (09/22/17)

CEO Fraud

CEO Fraud is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, teacher or someone else in authority in our organization, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures. (09/15/17)

Protect Your Personal Information

With the announcement from Equifax yesterday about a breach of data affecting some 143 million Americans’ personal information, the Information Security Team would like to remind everyone what steps you can take to stay safer and more secure online. These tips come from the National Cyber Security Alliance.

Following any breach, everyone can better protect their accounts by following these steps to stay safer and more secure online, including:

  • Lock down your login. Use strong authentication — more than a username and password to access accounts — to protect your most valuable accounts, including email, social media and financial.
  • Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
  • Monitor activity on your financial and credit card accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website
  • When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts, and get information only from legitimate sources. (09/08/17) 

Last Published: Sep 17, 2021