Don't email your password to anyone!
USU people are continually receiving bogus email messages trying to fool them into giving the bad guys their A-number and password. Any message apparently from IT at USU that does not conform to ALL of the following seven rules is probably a phishing scam that should be deleted without response:
1) We will never send you email asking for your password (never, never, never, with this one exception: never). (This is true of banks, credit card companies, paypal, ebay, amazon, IRS, etc, as well.) If you have given away your password, please change it NOW at https://id.usu.edu/Password
2) We will always identify ourselves and give contact information for the IT ServiceDesk (see below) or the Security Team or other administrative unit that you can find in the USU online directory. We will never use vague, generic terms that you haven't heard in use on campus, like "the webmail team", "the usu.edu team" or "usu.edu Customer Care".
3) We will always send our message from a usu.edu address and expect your reply to a usu.edu address.
4) We will always send important information in the main body of the message, never in an attachment.
5) If our message directs you to a webpage, it will always be at usu.edu. Having USU logos and familiar page layouts is never enough; check the URL for "usu.edu" right before the first single slash. For example http://abcde.usu.edu/something/somethingelse/page.html is at USU but not http://xyz.usu.edu.com/blahblah (no slash right after the usu.edu) and http://www.mnop.com/usu.edu/webmail (the slash after usu.edu is not the first single slash).
6) We will never issue instructions that you must follow on short notice with serious, irrevocable consequences. Important changes in service for all users are always announced multiple times, in multiple ways (email, website, post cards, news releases).
7) We will always try our hardest to use better grammar, punctuation and spelling than you see in most phish messages.
Be an Internet Skeptic!
If you get an unfiltered spam message within hours of its delivery, please forward it AS AN ATTACHMENT (ctrl-alt-F in Outlook) to (email@example.com). That address delivers to an automated analysis program at Ironport/Cisco. The analysis will use the information in attached messages to improve spam identification for USU and all of their other clients. Don't forward only the attachments that may have come with the spam message.
If you get a phish message (trying to fool you into revealing your password or other identifying information). Please forward it to firstname.lastname@example.org so that we can try to identify other recipients at USU and warn them. However, if it's more than a day old, someone else probably beat you to it.
IT Service Desk
Location: JQL 108
Phone: 435.797.HELP (4357)
Toll Free: 1.877.878.8325
USU IT Security Team
SER 301, 797-1804
Here's an entertaining video about How to Tell if an Email is Real or Phish
Here is a demo of the lovable Anti-Phishing Phil, a commercial spinoff from Carnegie Mellon University.
Watch this video explanation of phishing, thanks to the University Of South Carolina, University Technology Services, IT Security Office.
Take this 10 question SonicWALL Phishing IQ test.
Here is a handy site that will test attachment files and URLs against numerous anti-virus packages and other analysis tools: http://www.virustotal.com/
Remember the 8 Steps to Protect Your Computer including:
- Computers must be managed
- check for and install all system updates (for Windows, Macintosh or linux) and reboot
- check for and install all software/application updates (office suite, acrobat, flash, etc)
- Install virus protection and keep it up to date
- Install a host-based firewall and configure it to block any contact that is initiated by outsiders.
- Backup your files
- Turn off file and print sharing
- Don't share files
- Keep physical control of your computer
- Use strong passwords and don't let your browser remember your passwords for you.
- Don't open unexpected email attachments or click on unfamiliar web links.
- Use Mcafee SiteAdvisor or WOT with IE or Firefox . Also use NoScript and Adblock Plus with Firefox or XSS Filter with IE. Google Chrome has similar plugins (finding them is left as an exercise for the Crome aficionados).