Phishing Alert: Verified Duo Push Scam

Members of the WashU community are receiving fraudulent phone calls from criminals asking them to enter a three-digit code into the Duo app. What you should do The only time you should type in the three-digit code into Duo is if you are logging in for yourself. Do not enter a code given to you […]

Passkeys Over Passwords 

Are you tired of trying to create and remember every password? Are you worried that you might lose your password? Do you feel overwhelmed by the number of password managers to choose from? If so, there is good news on the horizon. The FIDO Alliance created a passwordless sign-in system that addresses these problems, and […]

Scam of the Month: Outstanding Toll Amount 

Text message saying: (State Toll Service Name): We've noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.

Road trip season is approaching, and the FBI has observed criminals impersonating road toll collection services via text message. While there is only one toll bridge in Missouri – the Lake of the Ozarks Community Bridge (for now) – many neighboring states operate toll roads.   If you see a message like the one below, please […]

Summer Break Travel and Job-Hunting Tips 

Cyclist rides their bike past Brookings Hall

Summer break is right around the corner, and many in the WashU community will be traveling or looking for a summer job. Unfortunately, the devices we rely on for managing travel have also become targets for theft and cybercrime.   Whether you are searching for a job or taking a trip, please protect yourself and the […]

Scam of the Month: DEA Impersonation Phone Call 

According to Washington University School of Medicine Protective Services, the WUSM Physical Therapy department received a call from someone impersonating the DEA to steal personally identifiable information.  In the call, they claimed to be an investigator from the DEA headquarters, saying that a nurse practitioner had reported fraud under their name, medical license number, and […]

The Deaf Lottery Scam 

Back in his federal law enforcement days, WUSM’s Assistant Director of Investigations and Crime Prevention, Steve Manley, came upon an advance fee scam. An informant who operated a corner store in East St. Louis called him one afternoon. He told Manley a customer was sending large sums of money to Nigeria via Western Union. The caller […]

New Device Registration Process for the Wired Network on the WUSM Campus

WashU IT, Information Security, and WUSM ITSS are introducing a new registration process for devices connecting to the wired network. This change will further protect patient, student, research, and academic data from bad actors. We will begin implementing this change in early 2024. It will be rolled out in a measured pace to minimize impact […]

Scam of the Month: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE

From: Lexus Scott Subject: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE REDEFINED RESEARCH ASSISTANT OPPORTUNITY Washington University in St. Louis Department of Computer Science & Engineering at is looking for research assistants who are willing to work remotely for $350 a week. Students from any department at the university may participate in the study. Text Professor Patrick Crowley at (505) 309-0428 with your full name, email address, department, and year of study to receive the job description and additional application requirements. Many Regards. Professor of Computer Science, Patrick Crowley.

The Office of Information Security has observed a trend in which criminals advertise a job while impersonating a Professor of Computer Science and Engineering. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly enticing if offered employment.  If you see a message like the one below, […]

Security Tips for Spring Break

Dog on beach

Spring Break is right around the corner, and many in the WashU community will be traveling for conferences, studying away, researching elsewhere, visiting family, or just going somewhere relaxing. No matter where you go, your smartphone will undoubtedly be at your side. These handy devices have become our constant companions for just about anything you […]

Keep Your Information Secure This Tax Season

tax scam words on calculator display with tax forms

Tax season officially begins on January 29, and internet scammers will capitalize on the moment. The Internal Revenue Service initiates most contact through regular mail delivered by the United States Postal Service. Sometimes, they will call or visit, but other than that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social […]

Scam of the Month: COVID-19 Variant Poses Risks in our University 

From: Wustl Health Care Center Subject: Emergency Notice: COVID-19 Variant Poses Risks in our University I trust this message finds you in good health. I am writing to share critical information that impacts the health and safety of our academic community. Regrettably, we have recently received confirmation of a positive COVID-19 variant test result for a member of our university staff. Despite a significant portion of our staff and faculty being vaccinated, it is crucial to acknowledge that certain variants may pose challenges even to those who have received the vaccine. As a precautionary measure, we are actively initiating contact tracing to identify and mitigate potential risks. To assist us in determining whether you have been in close proximity to the affected staff member, we have established a dedicated webpage for your convenience. Please click the following link: [Access Detailed Staff Information] to review specific details about the individual in question. Prompt reporting of any interactions or contact is crucial, as it greatly contributes to the overall safety and security of our community. We understand that this news may be concerning, but please rest assured that our medical team is available to address any questions and provide guidance. You can contact them at [Healthcare@wustl.edu], and they will offer the necessary assistance. Our commitment to your well-being and the creation of a secure working environment remains steadfast. We kindly ask for your cooperation in this matter, as it is vital for our collective efforts to contain the virus and uphold the safety of our community. Confidentiality Notice: This email and its attachments are confidential and intended solely for the recipient. In line with privacy guidelines, we kindly request that you refrain from sharing or forwarding this message. PLEASE AVOID SHARING THIS EMAIL WITH ANYONE. We sincerely appreciate your dedication to our university community, and together, we will navigate through this challenge and emerge stronger. Best regards, Washington University in St. Louis Health Care Center Contact: (616) 526-7052

The Office of Information Security has identified a trend in which criminals send members of our community false COVID-19 contact tracing emails with a malicious link. They hope a victim will click the link and give their WashU credentials. In this scam, hackers use a compromised email address from Brown University to send phishing emails. […]

Duo Exceptions

The DUO Two-Factor Authentication upgrade was deployed on November 20, 2023, to enhance and secure WashU systems and applications access. A smartphone or tablet with the Duo Mobile app installed is required to use this new and preferred verified push method of multi-factor authentication. There are circumstances where you might not be able to download […]

New Digital Guardian Prompt 

Digital Guardian, the data loss prevention software, has been updated to detect and alert when sensitive information, such as Protected Health Information (PHI) or Personally Identifiable Information (PII), is shared to public websites, including Artificial Intelligence sites such as ChatGPT.  We are tuning Digital Guardian to reduce the number of false alerts and enhance our […]

Retirement of Secure WUSM Infosec Bulletin

collaboration

To simplify the critical messages you receive about information security at the university, the Office of Information Security is retiring the Secure WUSM Infosec bulletin. Instead, the content will now be published in this newsletter. That means there will be fewer university-wide emails! Additionally, we are folding Secure WUSM itself into the organization-wide CyBear Secure […]

Tips for Traveling and Shopping Safely This Holiday Season 

With Black Friday and Cyber Monday behind us, it can be tempting to impulse buy any remaining discounted items. Before getting caught up in a “while supplies last” frenzy, remember that scammers capitalize on hasty decisions involving payment information. According to the Internet Crime Complaint Center’s (IC3) 2022 report, non-payment and non-delivery scams cost people more […]

Scam of the Month: Charity Scam

Did a charity reach out to you for a donation? Here's how to give safely and avoid a scam: Never donate with a gift card or by wiring money. Credit card and check are safer. Search the charity name online. Do people say it's a scam? Watch for names that only look like well-known charities. Look up a charity's report and ratings: give.org charitywatch.org candid.org charitynavitor.org Ask how much of your donation goes to the program you want to support. Donating through a charitable fundraising platform? Be sure you know where the money is going.

If You Sent Money to a Scammer  Scammers often insist that you pay in ways that make it tough to get your money back. They prefer you wire money through a company like Western Union or MoneyGram, send cryptocurrency, use a payment app, or buy a gift card and give them the redemption code. Regardless of how you lost money to a scam, […]

Protecting against cybersecurity risks with Microsoft 365 A5 security

WashU uses tools from the Microsoft 365 A5 security suite to detect and respond to cybersecurity threats. Most of the tools in the suite are designed to work behind the scenes so that students, faculty, and staff are not interrupted by the security features. Here is a brief overview of Microsoft 365 A5 tools and […]

Elect to Receive Your Tax Documents Electronically

Form W-2 Wage and Tax Statement phrase on the page.

Provide consent to receive electronic delivery of your tax documents by December 31, 2023. This will allow you to receive your W-2 form online as soon as it is available in Workday. You will be notified by email in January when your electronic W-2 form is available. Manage printing elections of your tax forms in Workday and […]

Scam of the Month: Process has begun by our administrator

Our record indicates that you recently made a request to terminate your Office 365 email. And this process has begun by our administrator. If this request was made accidentally and you have no knowledge of it, you are advised to verify your account. Please give us 24 hours to terminate your account OR verify your account Click Here To Verify Your Account Failure to Verify will result in the close of your account.

The Office of Information Security has identified a trend in which criminals send members of our community account termination emails containing a malicious link. They hope a victim will give their WashU credentials in a Google Form. In this scam, hackers use a legitimate WashU email address to send phishing emails. Victims who click the […]

Phishing Resistant Multi-Factor Authentication

Many Duo push notifications

As attackers figure out new ways to get around traditional multi-factor authentication, we must evolve to prevent fraudulent access to our accounts. The next wave of multi-factor authentication will fortify user accounts against phishing attacks. Unlike traditional multi-factor authentication, new approaches incorporate advanced techniques such as biometric authentication, hardware tokens, and push notifications to trusted […]

Cybersecurity Awareness Month 2023 Recap

Cybersecurity Awareness Month 2023 is coming to a close. This year, we hosted three webinars, promoted key behaviors to encourage every employee to take control of their online lives, and published weekly newsletters full of original content authored by WashU’s Office of Information Security.  Below, you will find a recap of some of the key […]

Firewall in macOS is available on WashU Macs

On WashU-supported Macs, you can now use firewall settings to turn on the firewall in macOS to prevent unwanted connections from the internet or other networks.  To change these settings in the latest version of macOS, choose Apple menu > System Settings, click Network in the sidebar, then click firewall on the right. (You may need to scroll […]

Stay Safe on Social Media

People using social media reactions.

When using social media platforms, it is wise to be careful about what you post. Cybercriminals can use what you post to entice you into clicking malicious links. Be Careful What You Post Any information you publicly post on social media could be used in a spear phishing attack. Spear phishing is when cybercriminals target […]

Stay Safer with Multi-Factor Authentication

Stay safer with MULTIFACTOR AUTHENTICATION (MFA) How to turn on MFA MFA provides extra security for our online accounts and apps. This security could be a code sent via text or email or generated by an app, or biometrics like fingerprints and facial recognition. Using MFA confirms our identities when logging into our accounts. How to turn on MFA MFA provides extra security for our online accounts and apps. This security could be a code sent via text or email or generated by an app, or biometrics like fingerprints and facial recognition. Using MFA confirms our identities when logging into our accounts. Look for and turn on MFA It may be called two-factor authentication, two-step verification or similar. Confirm Select how to provide extra login security, such as by entering a code sent via text or email or using facial recognition.

We encourage you to turn on multi-factor authentication for every online account or app that offers it. As time goes on, more websites and applications will offer multi-factor authentication, but it might not be turned on by default. Here are some guides on how to enable it for popular services:

Password Managers 

passwords written on sticky notes

Password managers are apps, browser plugins, or programs within your browser. They store your passwords in a vault and lock the vault behind a “master password.”  It is safe to replace your password notebook  Even though password managers are the best way to safeguard your passwords, you might worry that storing every password in an […]

Weak Passwords

Weak PASSWORDS are the most common way online criminals access accounts. Strengthen Passwords with Three Simple Tips. Using strong passwords with the help of a password manager is one of the easiest ways to protect our accounts and keep our information safe. Make them long. At least 16 characters—longer is stronger! Make them random. Two ways to do this are: Use a random string of letters (capitals and lower case), numbers and symbols (the strongest!): cXmnZK65rf*&DaaD. Create a memorable passphrase of 5-7 unrelated words: HorsPerpleHatRunBayconShoos Get creative with spelling to make it even stronger. Make them unique. Use a different password for each account: k8dfh8c@Pfv0gB2 LmvF%swVR56s2mW e246gs%mFs#3tv6. Use a password manager to remember them.

Let a password manager do the work! A password manager creates, stores and fills passwords for us automatically. Then we each only have to remember one strong password—for the password manager itself. Search trusted sources for “password managers” like Consumer Reports, which offers a selection of highly rated password managers. Read reviews to compare options […]

Creating Strong Passwords

Using ChatGPT Hardware to Brute Force Your Password in 2023

When guessing passwords, hackers start with the most common passwords. According to research by NordPass, the top 10 passwords from 2022 are: Are any of your passwords on this list? Creating, storing, and remembering passwords can be an inconvenience for all of us online. Still, the truth is that passwords are your first line of […]

Install Software Updates to Fix Security Risks

Update Software Promptly for Safety When we see an update alert, many of us tend to hit “Remind me later.” Think twice before delaying a software update! Keeping software up to date is an easy way to stay safer online. To make it even more convenient, turn on automatic updates! Turn on automatic updates Look in the device’s settings, possibly under Software or Security. Or search the settings for “automatic updates.” Watch for notifications Not every update can be automatic. Devices— mobile phones, tablets and laptops—will usually notify us that we need to run updates. It’s important to install ALL updates, especially for web browsers and antivirus software. Install updates as soon as possible When notified about software updates, especially critical updates, install them as soon as possible. Online criminals won’t wait so we shouldn’t either!

Why it’s so important to update promptly If a criminal gets into a device through a security flaw, they will look for personal information and sensitive data to exploit. Technology providers issue software updates to “patch” security weak spots as quickly as possible. If we don’t install them, they can’t protect us!Software updates can also […]

Unexpected Emails 

Alert message laptop notification

Many of us receive a steady flow of emails every day, including bank statements, order confirmations, or sales promotions. To keep up, you may look through your inbox as quickly as possible—but do not forget to stay vigilant. Cybercriminals take advantage of haste and send dangerous, unexpected emails.  Unusual Account Activity Detected  One of the […]

Spot the Fake Login

Can you spot the fake login?

Scammers can create fake login screens that are strikingly similar to legitimate ones. One of the login screens pictured above is our true WUSTL login screen, and the other is an imitation from a real scam. Can you spot the difference? To make this more challenging, we’ve cropped out the URL from each login screenshot. […]

Unsafe Email Attachments

In addition to using WashU email for work, most people use email in their personal lives, too. You can get an email from your aunt with her stew recipe or an email from your boss about an office party. But what if the email isn’t actually from your aunt or boss? Cybercriminals often pretend to […]

What are AI Chatbots?

What are AI Chatbots? They are computer programs that are trained to understand and communicate with human language to answer user questions and generate automatic responses in the form of a conversation. What are five essential security tips I should keep in mind when using an AI chatbot for work purposes? 1. Only Use Organization-Approved Chatbots: Before using an AI chatbot, verify it has been approved by your organization. 2. Be Mindful of Privacy and Intellectual Property Risks: Never share organizational, personal, or sensitive information when using AI chatbots. 3. Verify Accuracy of Information: Research the information using other trusted sources, instead of solely depending on chatbot information. 4. Stay Vigilant to Phishing Attempts: These are messages or requests from chatbots that try to trick you into providing sensitive data or opening a suspicious link. 5. Keep Updated on Emerging Security Threats: Stay informed about online safety when using AI chatbots. Do you have any other advice to keep me safe in the digital world? Trust your instincts, and don’t hesitate to seek advice or report suspicious activities to the appropriate authorities. Remember these tips to have a safer and more informed experience when interacting with AI chatbots.

For more information about using generative AI at WashU, please visit Generative Artificial Intelligence (AI) – Information Technology (wustl.edu).

Google Yourself

Search box, SEO search engine optimization or finding website from internet, online job or career opportunity concept, woman working with computer laptop on search box with magnifying glass button.

With the internet and social media, it can be difficult to avoid sharing personal information online. Having an online presence can be valuable, but sometimes sharing personal information is risky. If you want to know what information about you is online, Google yourself. Your Search Results If you Google your name, you may find public […]

Revised and Updated Policies 2023 

The Washington University in St. Louis Office of Information Security supports education, research, and clinical care by protecting systems and data for everyone at our institution. Information security is essential to every member of our community, and we all share personal responsibility for ensuring the security of our systems. We continuously improve our systems and […]

October is Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The Office of Information Security is proud to champion this online safety and education initiative this October.  All month long, we are promoting these key behaviors to encourage every employee to take […]

Phishing Alert: Credential Phishing via Google Form

How this Scam Works Members of the WashU community are receiving fraudulent shared document emails that ask them to divulge their WUSTL Key and credentials in a Google Form. Victims receive a fraudulent email about a shared document from an email address outside of WashU: When a victim clicks the link in the email, they […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Back to School Resources

An undergrad student with sign "First day of college!".

Welcome back! We know you will be busy as the semester begins, so we have pulled together resources to help you with a variety of common security needs. See below for our roundup of guidance to help you get in the swing of the semester!  Devices Device security is essential for protecting your privacy and […]

Scam of the Month: Geek Squad Customer Service

The Office of Information Security observes a trend in which criminals send a fraudulent order confirmation claiming the recipient will be charged almost $500. The criminals hope victims will call a phone number to refute the “purchase” and disclose their banking information.  If you see a message like the one below, please do not interact […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Scam of the Month: Compromised Email

The Office of Information Security observes a trend in which criminals use a compromised email account to trick victims into divulging their WUSTL Key password. In this scam, criminals took over a legitimate email address from UT Health San Antonio and used it to send phishing emails. Victims who click on the phishing link are […]

We Are Improving Our Website

Our office is continually searching for the best ways we can serve you and help you secure your work and WashU’s resources. We regularly update our information security website (https://informationsecurity.wustl.edu) with the latest information and resources to help you navigate the increasingly complicated digital landscape.   In addition to the great original content we post on […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Scam of the Month: Sheriff Impersonation

The Office of Information Security observes a trend in which criminals impersonate the sheriff’s office over the telephone. These scammers claim you signed for a subpoena, are an expert witness, or are a juror and never showed up for court and then demand payment. Along with a false accusation, scammers may list your personal information […]

Policies, Standards, and Guidelines

With the new design of our Policies page, visitors can conveniently locate, search, and preview our office’s policies, standards, and guidelines. Along with a contemporary design, the three terms each include a brief definition. Understanding their differences can prevent confusion and help you find the information you need to carry out your work securely. So, […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Business Associate Agreement (BAA) Explained

HIPAA Compliant

If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]

Scam of the Month: DEA Impersonation

The Drug Enforcement Administration (DEA) is warning the public of a widespread fraud scheme where scammers impersonate DEA agents to extort money or steal personally identifiable information. DEA personnel will never contact members of the public to demand payment or sensitive information. No legitimate federal law enforcement officer will request cash or gift cards from […]