Chance to Win $100 in Our Monthly Challenge 

Trophy with five stars

Our December through March competition winners have been selected. The winners are from the following departments: Congratulations to the winners and thank you to all who participated! Our community has more information and tools to protect ourselves because of your participation!  May Prize Giveaway For another chance to win, the InfoSec team is continuing to […]

Avoiding Facebook Marketplace Scams 

The closeup logo of Facebook Marketplace on an iPhone screen.

Unlike eBay, Facebook Marketplace doesn’t charge any fees for listing personal goods. Marketplace’s modern interface and safety features may interest you more than Craigslist. Unfortunately, Marketplace’s popularity also makes it attractive to scammers. If you see something you think is a scam, we recommend you stop communicating with the buyer or seller and report the suspected […]

Summer Travel and Job-Hunting Tips 

Cyclist rides their bike past Brookings Hall

Summer break is here, and many in the WashU community will be traveling or looking for a summer job. Unfortunately, the devices we rely on for managing travel have also become targets for theft and cybercrime. Whether you are searching for a job or taking a trip, please protect yourself and the WashU community. Remember the following […]

WashU’s Core Security Package and HIPAA Compliance

WashU workstations are carefully designed to have a core set of security applications to protect them from unauthorized access and comply with the HIPAA Security Rule. Equipment not sourced from our IT Depot, and WashU IT equipment with missing or disabled security controls, significantly increases the risk of an incident including ransomware or other loss of […]

InfoSec Emails with WashU Branding 

In August 2024, Washington University in St. Louis unveiled a refreshed visual identity. This update included a new university logo, an updated website, and the adoption of the widely used and affectionate nickname “WashU.” You can learn more about the refresh at Brand FAQ | University Marketing & Communications.  We will be updating our newsletter and […]

Malwarebytes Contract Cancelled

Our Malwarebytes contract is being cancelled, so Malwarebytes should not be used on WashU owned machines. The personal license is not to be used for business reasons. If you have any questions about this change, please email ithelp@wustl.edu

Chance to Win $100 in Our Monthly Challenge 

Trophy with five stars

The Office of Information Security (OIS) is always looking for ways to improve your security and reward your participation in helping to secure WashU. Back by popular request, the InfoSec team is continuing to assign the Inside Man series as our competition this April. The Inside Man is a soap opera-style training that covers critical […]

Scam of the Month: New payment request 

The Office of Information Security observes a trend in which criminals send fraudulent invoices, hoping that victims will click a malicious link, open the attachment, or call the given number.  If you see a message like the one below, please do not interact with the sender, phone number, or attachment. Do not follow any special […]

Security Responsibilities for PHI Handlers 

All WashU community members who handle PHI are responsible for maintaining a secure environment and patient privacy. This includes faculty, staff, volunteers, trainees, and students. WashU’s core technology systems are designed to safely store and transmit PHI for safety and compliance with HIPAA. Before using external websites or cloud services to store, create, or transmit WashU Confidential […]

Scam of the Month: Verify You’re a Human

Fake CAPCHA

The Office of Information Security has observed a trend in which criminals create fake CAPTCHA pages to trick users into copying malicious code into their computer. To protect yourself, do not paste material into your computer. When a victim clicks the ‘I’m not a robot’ box, verification steps are presented.   Completing these steps triggers a […]

Keep Your Information Secure This Tax Season 

"Internal Revenue Service (IRS) You are eligible to receive a $1,400 Economic Impact Payment. Please provide your accurate personal information. We will deposit the amount into your bank account or mail a paper check within 1 to 2 business days. https://irs.gov.tax-tionds.com (Please reply with 'Y,' then exit the text message. Open it again, click the link, or copy it into your Safari browser and open it.)"

Tax Day is April 15, and internet scammers will capitalize on the moment. The Internal Revenue Service initiates most contact through regular mail delivered by the United States Postal Service. To verify the IRS sent the letter, you can search for it on IRS.gov. Sometimes, they will call or visit, but other than that, the Internal Revenue Service […]

The Risk of Running Unsupported Operating Systems

HIPAA Health Insurance Portability and Accountability Act

What if you are still running Windows XP or 7 on some of your computers? Extended support for Windows 7 ended on January 14, 2020, over 10 years after the release of Windows 7. Now the operating system no longer receives security updates. Some versions of Windows 10 and 11 are already unsupported. Devices with an […]

(Un)encrypted Messaging Under Hacked Telecoms 

One businessman spies on other businessman's phone looking over the shoulder

In October 2024, the Wall Street Journal reported a large cyberattack against U.S. telecommunications companies. The FBI, NSA, and the Cybersecurity and Infrastructure Security Agency released new guidelines for protecting communications infrastructure in the United States. Despite the government’s efforts, the Chinese hackers continue their hacking of US telecom networks.  If the most valuable items on your […]

Scam of the Month: Phish Text “from David Perlmutter” 

"Max, let me know if you're available at the moment! David H. Perlmutter" "Yes, I am." "I'm at a meeting. I can't make a call, I'm excellent with texts I Need you to run a quick task."

The Office of Information Security has observed a trend in which criminals impersonate Dean David Perlmutter over text message. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly powerful when the person being impersonated is in a position of authority.  If you see a message like […]

What is Full Disk Encryption and why should I care about it?

security icon

Did you know that all hard drives and any permanent storage must contain disk encryption if they stored PHI in the past, present or future? Why is this important? Sensitive and/or regulated data on encrypted drives in a computer that is lost, stolen, or improperly disposed of cannot be viewed without a special “key” only available […]

Scam of the Month: Class Action Lawsuits 

Notice ID: KATL0257102450 Confirmation Code: n449Jb9CfmU9 United States District Court for the Northern District of California Katz-Lacabe et al v. Oracle America, Inc., Case No. 3:22-cv-04792-RS NOTICE OF PROPOSED CLASS ACTION SETTLEMENT Our Records Indicate You May Be Entitled to a Payment from a Class Action Settlement Because Your Personal Data May Have Been Collected by Oracle America, Inc. A federal court authorized this notice. You are not being sued. This is not an advertisement. (Para la notificación en español, visite el sitio web.) A Settlement has been proposed in class action litigation against Oracle America, Inc. (“Oracle”). This class action alleges that Oracle improperly captured, compiled, and sold individuals’ online and o􀆯line data to third parties without obtaining their consent. Oracle denies all the allegations made in the lawsuit and any wrongdoing and maintains that its practices were lawful and disclosed to individuals. Who is included in the Settlement? You are included if you are a Settlement Class Member, which is defined as “all natural persons residing in the United States whose personal information, or data derived from their personal information, was acquired, captured, or otherwise collected by Oracle Advertising technologies or made available for

According to the Duane Morris Class Action Review 2025, class action lawsuits “broke the $40 billion mark for the third year in a row.” Large companies like Apple, Meta, and Disney each found themselves paying millions in settlements. Whether the payments are big or small, how should you react to a settlement notice?  The notices […]

Scam of the Month: Holiday Scams 

One woman with Santa Hat lost her money to a credit card scam.

The Federal Bureau of Investigation warns the public about scams during the holidays. The big four scams of the season are:  According to the Internet Crime Complaint Center’s (IC3) 2023 report, non-payment and non-delivery scams cost people over $281 million that year. Credit card fraud accounted for another $264 million in losses.  Click with caution Don’t click any suspicious links […]

Elect to Receive Your Tax Documents Electronically 

Form W-2 Wage and Tax Statement phrase on the page.

Provide consent to receive electronic delivery of your tax documents by December 31, 2024. This will allow you to receive your W-2 form online as soon as it is available in Workday. You will be notified by email in January when your electronic W-2 form is available. Manage printing elections of your tax forms in Workday and refer to […]

Cybersecurity Awareness Month 2024 Recap

October is Cybersecurity Awareness Month

Cybersecurity Awareness Month 2024 is coming to a close. This year, we hosted two webinars, promoted key behaviors to encourage every employee to take control of their online lives, and published weekly newsletters full of content authored by the Office of Information Security.  Below, you will find a recap of some of the key events […]

Scam of the Month: VITAL ALERT! READ N0W! 

The Office of Information Security has observed a trend in which criminals advertise a job using a student’s email address from Clark Atlanta University. Impersonation is one of the most effective social engineering tactics scammers use, and it can be particularly enticing if offered employment.  If you see a message like the one below, please […]

Careers in InfoSec: From Media Development to Building Security Culture

Business mentor helps to improve career and holding stairs steps vector illustration.

With the highly technical appearance of information security, entering the field may seem daunting. What does it actually take to work in information security? In this series, we’ll cover WashU’s information security professionals and how they got to where they are now. Let me introduce you to my boss, Quint Smith.  What is your current […]

Securing Mobile Devices

Device security is essential for protecting your privacy and data. Top-notch device security involves tweaking built-in features. Protect your devices and data using the strategies in the how-to guides below.

The Dangers of AI Art and Deepfakes

Deepfake visualization

Artificial intelligence art generators are trained on billions of existing images. When you enter a prompt, the AI art generator builds an image by combining aspects of its training data into a single image. Meanwhile, deepfakes are trained on photographs and videos of one subject to replicate that subject. Deepfake technology can depict a person […]

QR Code Safety

QR codes (quick-response codes) were originally designed to label automobile parts, but today, we can find them in advertisements, restaurants, museums, mobile ticketing, and many other areas. Since both Androids and iPhones can scan QR codes in the camera app, QR codes provide faster access to a website than manually typing a URL. While convenient, the […]

Spot the Fake Login

Scammers can create fake login screens that are strikingly similar to legitimate ones. One of the login screens pictured above is our true WUSTL login screen, and the other is an imitation. Can you spot all of the differences? To make this more challenging, we’ve cropped out the URL from each login screenshot. Seeing the […]

Stay Safer with Multifactor Authentication

Multifactor authentication provides another layer of security for online accounts. The first “factor” for an account is usually a password, and any additional authentication step makes it harder for a hacker to access your account. Common multifactor authentication offerings are codes sent via text or email, dedicated authenticator apps like Duo, and fingerprint or facial […]

Managing Passwords

1 Make them long. At least 16 characters - longer is stronger! 2 Make them random. Two ways to do this are: Use a random string of letters (capitals and lower case), numbers and symbols (the strongest!): cXmnZK65rf*&DaaD Create a memorable passphrase of 5-7 unrelated words: HorsPerpleHatRunBayconShoos Get creative with the spelling to make it even stronger. 3 Make them unique. Use a different password for each account: k8dfh8c@Pfv0gB2 LmvF%swVR56s2mW e246gs%mFs#3tv6. Tip! Use a password manager to remember them.

Using strong passwords with the help of a password manager is one of the easiest ways to protect your accounts and keep our information safe. Let a password manager do the work A password manager creates, stores, and fills passwords for us automatically. This way, we only have to remember one strong password—for the password […]

Cyber Risks at a New Job

ONBOARDING text graphics and illustration on a white background.

The onboarding process creates a unique set of security risks. As new employees, we’re often eager to make a good impression, but we have little institutional knowledge. These factors make new employees valuable targets for hackers. Due to unfamiliarity with WashU’s processes and security protocols, a new employee might not know how to recognize an email […]

Google’s Phishing Quiz Game

Google’s Jigsaw unit published a quiz that tests the taker’s ability to identify phishing emails. The quiz tests you on eight emails to see if you can distinguish between legitimate emails and phishing scams. Many of the examples come from real events, such as the massive phishing attempt that hit Google Doc users in 2017 and an email that Russian […]

Outsmart Online Outlaws

Phishing is an illegal tactic where criminals send fraudulent emails to trick victims into sharing their personal information or compromise their system. The good news is at WashU we can use the Phish Alert Button whenever we’re unsure about an email’s authenticity. Step 1: Recognize the common signs Step 2: When in doubt, report it! […]

Where to Report Cybercrime

Woman on the phone in front of a computer

With many kinds of cybercrime come many different ways to report it. Most of us will encounter cybercrime, so here are resources on where to report it. Hacked Account Report your hacked account to theplatform’s support team. Below are reporting guides for popular platforms: WUSTL Key, Facebook, Google, Instagram, PayPal, Snap, TikTok, YouTube  Ransomware If […]

Raising Digital Citizens

School kids using computer in classroom at elementary school.

Giving children uninhibited access to the internet can put your child, computer, and personal data at risk. With some precautions, you can set your children up to become upstanding digital citizens who will lead the future. Parental Controls Most devices these days have parental controls that allow parents to restrict access to certain content for […]

October is Cybersecurity Awareness Month

Cybersecurity Awareness Month. Webinar: Detecting AI Voice Clones TBD TBD. Webinar: Review of a Security Incident 10/23 11:00am-11:45am. E-Waste Recycling 10/29 8:00am-10:30am.

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The Office of Information Security is proud to champion this online safety and education initiative this October.   All month long, we are promoting these key behaviors to encourage you, our WashU community, […]

Scam of the Month: Voter Registration Scams

Your vote matters

With the approach of Missouri’s last day to register to vote before the November election, October 9, expect scammers to take advantage of the situation. We Americans are accustomed to election advertisements and voter registration campaigns, so when a scammer reaches out under the pretense of campaigning, it can be hard to spot the ruse. […]

Protect yourself from Identity Theft

Identity Theft

National Public Data, a background check company, confirmed in August that it suffered a data breach leaking names, email addresses, phone numbers, social security numbers, and mailing addresses.   Fortunately, there are many free and accessible steps you can take to defend against identity theft:  Indicators of Identity Theft  What to do if your information is […]

Scam of the Month: Remote/Part-Time Intern for a Virtual Assistant

Remote/Part-Time Intern for a Virtual Assistant. Melissa Lorenzo Torres . RMF Resume file.pdf

The Office of Information Security has observed a trend in which criminals advertise a job while impersonating someone from a university in Mexico. Impersonation is one of the most effective social engineering tactics scammers use, and it can be particularly enticing if offered employment.    If you see a message like the one below, please do […]

InfoSec Alert: PHI not allowed in Adobe AI Assistant

Screenshot of Adobe's AI assistant

Use of Adobe’s AI Assistant with HIPAA Protected Health Information (PHI) is not permitted at WashU. While Adobe’s information security and intellectual property protections are compatible with other uses, federal law requires a Business Associates Agreement (BAA) before HIPAA PHI may be shared with a third party. Non-AI Assistant use of Adobe desktop products keeps […]

Scam of the Month: Washington University – internship and management Programs – PAID

Washington University - internship and management Programs - PAID Laura Arroyo Martinez Human Resources Department.pdf

The Office of Information Security has observed a trend in which criminals advertise a job while impersonating someone from a university in Mexico. Impersonation is one of the most effective social engineering tactics scammers use, and it can be particularly enticing if offered employment.   If you see a message like the one below, please do […]

Scam of the Month: Direct deposit bank account changed 

The Office of Information Security observed a trend where criminals email members of our community false direct deposit change notifications with a malicious link. They hope the victim will click the link and give their WashU credentials or direct deposit information. Payroll Services does not change direct deposit information. Only employees can change it themselves […]

InfoSec Alert: Microsoft ‘Recall’ Feature

Microsoft has released some Windows 11 PCs with a new feature called ‘Recall,’ which has privacy and security issues. ‘Recall,’ if enabled, takes screenshots of all activity in Windows 11 and then places that information in local storage for future access. No action is needed at this time – ‘Recall’ is off by default and […]

Scam of the Month: Duo Verification Code Text Phishing 

WUSTL EDU ALERT! You submitted your Edu details for verification in other to put a stop to your email termination process Reply with a YES if you are available to carry out your verification process now which requires a verification code Failure to reply now will result in the termination of your account shortly IT management

Criminals who’ve stolen WUSTL Keys and passwords are masquerading as IT support over text messages to get us to enter Duo verification codes. Legitimate WashU employees will not ask you to enter codes into your Duo app. Only enter a verification code if you are logging in for yourself. Do not enter a code given […]

Phishing Alert: Verified Duo Push Scam

Members of the WashU community are receiving fraudulent phone calls from criminals asking them to enter a three-digit code into the Duo app. What you should do The only time you should type in the three-digit code into Duo is if you are logging in for yourself. Do not enter a code given to you […]

Passkeys Over Passwords 

Are you tired of trying to create and remember every password? Are you worried that you might lose your password? Do you feel overwhelmed by the number of password managers to choose from? If so, there is good news on the horizon. The FIDO Alliance created a passwordless sign-in system that addresses these problems, and […]

Scam of the Month: Outstanding Toll Amount 

Text message saying: (State Toll Service Name): We've noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.

Road trip season is approaching, and the FBI has observed criminals impersonating road toll collection services via text message. While there is only one toll bridge in Missouri – the Lake of the Ozarks Community Bridge (for now) – many neighboring states operate toll roads.   If you see a message like the one below, please […]

Summer Break Travel and Job-Hunting Tips 

Cyclist rides their bike past Brookings Hall

Summer break is right around the corner, and many in the WashU community will be traveling or looking for a summer job. Unfortunately, the devices we rely on for managing travel have also become targets for theft and cybercrime.   Whether you are searching for a job or taking a trip, please protect yourself and the […]

Scam of the Month: DEA Impersonation Phone Call 

According to Washington University School of Medicine Protective Services, the WUSM Physical Therapy department received a call from someone impersonating the DEA to steal personally identifiable information.  In the call, they claimed to be an investigator from the DEA headquarters, saying that a nurse practitioner had reported fraud under their name, medical license number, and […]

The Deaf Lottery Scam 

Back in his federal law enforcement days, WUSM’s Assistant Director of Investigations and Crime Prevention, Steve Manley, came upon an advance fee scam. An informant who operated a corner store in East St. Louis called him one afternoon. He told Manley a customer was sending large sums of money to Nigeria via Western Union. The caller […]