It begins with an email looking innocently enough. You click on the link believing it is from a colleague or perhaps from your IT administrators. You are then taken to a site asking for your email address and password. This seems ordinary. After all, it seems like all websites these days require login information. What comes next is anything but ordinary. Your information has been stolen and is being used against both your organization and yourself.

These attacks are becoming more prevalent and sophisticated. So much so that October is National Cybersecurity Awareness Month. Now in its 16th year, it is hosted every October by the Department of Homeland Security and the National Cyber Security Alliance. According to fbi.gov, multiple agencies, including the FBI, collaborate to raise awareness about cybersecurity and stress the collective importance and effort to stop cyber intrusions, online thefts, and scams.

Pitt and FIS are no different. We go to great strides to protect the university’s financial information and educate our users on security awareness. Take, for example, the annual security awareness training videos that all connected computer users take as well as CSSD’s fake phishing attempts.

The security awareness training must be completed by all users who log into a FIS machine. It is a series of interactive videos that will test your knowledge of various subjects at the end of the video. After completing the training, you can print a certificate validating that you completed the training. Security awareness training needs to be completed annually. However, every subsequent training is a refresher course and is less robust than the initial training. While this may seem a bit excessive, the numerous attacks that have occurred over the past few years at many corporations most definitely prove otherwise.

Those attacks and the information obtained as a result of them are the reason CSSD sends out fake phishing emails. The latest phishing attempt was an email sent from “Message Center admin@webaccess-alert.com” and was titled Incoming Emails Rejected. The message was simple enough. It contained your email address, an understandable explanation of why the emails were rejected, and a link to retrieve the emails. These are some of the most damaging and common attacks.

With all of that in mind, here are some cyber safety tips the FBI highly recommends.

• Examine the email address and URLs in all correspondence. Scammers often mimic a legitimate site or email address by using a slight variation in spelling.
• If an unsolicited text message or email asks you to update, check, or verify your account information, do not follow the link provided or call the phone numbers in the message. Go to the company’s website to log into your account or call the phone number on the official website to see if something does, in fact, need your attention.
• Do not open any attachments unless you are expecting the file, document, or invoice and have verified the sender’s email address.
• Carefully scrutinize all electronic requests for a payment or transfer of funds.
• Be extra suspicious of any message that urges immediate action.
• Confirm requests for wire transfers or payment in person or over the phone as part of a two-factor authentication process. Do not verify these requests using the phone number listed in the request for payment.

If you have questions, feel free to submit a ticket through the FIS Service Portal.