Scam of the Month: Student-Focused Scams

Student Aid Scam Sample

As school begins on campuses nationwide, criminals turn their attention to scams targeting students who are busy preparing for the upcoming semester. Criminals frequently rely on timely topics and strategies to exploit their victims. Below, you will find examples of real scam emails reported to our team within the last month. As we all gear […]

InfoSec Alert: Critical Security Updates for Apple Devices (iOS, macOS)

Apple recently released a critical software update for all iOS (iPhones and iPads) and macOS devices designated iOS 15.6.1 and macOS 12.5.1. With the launch of these updates, Apple took the increasingly common step of alerting users that these updates patch vulnerabilities that criminals may actively exploit. Please update your iOS and macOS devices as […]

Scam of the Month: Fake (Real) Invoice Scam

The Office of Information Security has observed a trend where criminals are sending fraudulent invoices to unsuspecting victims in hopes that they will be paid without the recipient noting that they are part of a scam. The tricky part of this particular scam is that the invoices are actually generated by payment handlers like PayPal. […]

Joint IT and InfoSec Project Seeks Better Protections for WashU

Storage servers in data room

A joint Information Technology and Office of Information Security vulnerability management project aims to strengthen and better protect the WashU network from attacks.  The project has two main objectives: Install CrowdStrike on all Wash U servers immediately. Remediate tool-evaluated critical vulnerabilities, guiding department owners through updates, patches, and other steps. About Objective 1 WashU IT […]

Scam of the Month: Urgent Administrative Job Opportunity

This month’s scam is a recent and widespread phishing attack that attempted to use social engineering and impersonation to gain account access. If you see a message like the one below, please report it immediately using the Phish Alert Button (PAB) in your Outlook interface. You can find more information about the PAB and alternative […]

SMiShing Scam Seeks to Obtain Gift Cards by Impersonating Chancellor

SMiSh Example

A recent SMiShing scam targeted our institution by impersonating Chancellor Martin and asking recipients for gift cards. You can rest assured that the chancellor (or your supervisor) will not reach out to ask for gift cards. SMiShing is a type of attack that uses the social engineering tactics commonly associated with email phishing via text […]

Website Scavenger Hunt with $250 prize and New Protections in Office 365

Trophy with five stars

The Office of Information Security’s website is full of helpful resources and information for keeping you more secure online. To encourage you to become more familiar with what our website has to offer, the OIS office is holding a virtual scavenger hunt featuring a chance to win $250 in Bear Bucks! How to Participate Follow […]

Scam of the Month: Authenticate Your Account

This month’s scam is a recent and widespread phishing attack that attempted to use social engineering and impersonation to gain account access. This one is particularly tricky, but it uses a very common set of steps that criminals deploy to steal account credentials. The user receives the suspicious email, in this case from an ‘@wustl’ […]

Catch a Phish to Protect Yourself and WashU

Phishing is the most common tactic cybercriminals use to steal login credentials, data, and intellectual property. Billions of these messages are sent every day, but it’s now easier than ever to protect yourself and WashU by helping the Office of Information Security (OIS) catch the phish and remove it from our system. The Phish Alert […]

Scam of the Month: Important Payroll Message

Example of Important Payroll Message Phish

This month, we’re focusing on a particularly tricky scam. This one isn’t tricky because it’s complex on its surface; it actually relies on simplicity and brevity to lure in its victims. This scam mimics an important notification to trick recipients into handing over sensitive login information. It contains many hallmarks of a typical phish, but […]

Scam of the Month: Ukraine Donation Scam

This month, we’re focusing on another scam that preys on your emotions and altruistic intentions. This time, it involves cybercriminals taking advantage of fundraising for Ukraine. In just one week, legitimate fundraising for Ukraine mobilized more than $50 million in cryptocurrency. That kind of success always attracts opportunists who want their cut. This time, they’re […]

Increased Risk of State-Sponsored Cyberattacks as Russia Invades Ukraine

Illustration of anonymous cyberattacker

The threat of state-sponsored cyberattacks increasingly accompanies international relations. Russia has developed and demonstrated its capacity to attack and inflict damage using cyber-warfare tactics. With news of Russia’s invasion of Ukraine, many cybersecurity professionals are recommending increased vigilance during this period of unrest. While much of the responsibility for anticipating and preventing cyberattacks of this […]

InfoSec Alert: Update Google Chrome Immediately to Address Zero-Day Vulnerability

Earlier this week, a member of Google’s threat analysis group discovered a vulnerability in Google Chrome that would allow attackers to execute arbitrary code or corrupt data on impacted machines. Google released a fix for this exploit soon after, and all Chrome users should be sure to update their browsers immediately. Chrome should update each […]

Scam of the Month: COVID Omicron Phishing

Security researchers are warning of an uptick in phishing attacks targeting universities themed around COVID, Omicron, and testing information. These attackers seek to steal valuable information and often have the goal of tricking users into handing over their university (or other) log-in credentials. Below, you will find an example of a phishing message using Omicron […]

Scam of the Month: Direct Deposit Phishing Scam Impersonating University Leadership

Chanc Impersonation Direct Deposit Phish

Members of the WashU community are receiving phishing emails impersonating university leadership, including Chancellor Martin and Dean Perlmutter. These messages request changes to direct deposit information due to suspicious activity.  Phishing scams often impersonate people in leadership positions to encourage a heightened sense of urgency in the recipient. Additionally, information about leaders is publicly available […]

InfoSec Alert: Critical Security Updates for Apple Devices

Apple recently released a critical software update for all Apple devices designated iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2. Apple issued these emergency updates in response to reports that “zero-click” spyware has been discovered on their devices.  Users can update their own devices using the following steps (please note that download times may […]

InfoSec Alert: SMiShing Detected on Campus

The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim. The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]

Scam of the Month—June 2021

In each issue of the newsletter, we will feature, discuss, and dissect a scam that has appeared on our campus. These scams are “real” attempts to infiltrate our systems and/or gain access to sensitive and personal information of individuals in our community. By sharing these examples with our readers, we hope to enhance your awareness […]

Phishing Alert: Tax Scam Targeting Educational Institutions

The Internal Revenue Service (IRS) issued a warning today (Tuesday, March 30, 2021) about an ongoing impersonation scam targeting educational institutions. Faculty, students and staff with email addresses ending in .edu are primary targets for this scam. How this Scam Works This criminal scam attempts to capture personal information from recipients by prompting them to […]

Phishing Alert: Credential Phishing Detected on Campus

The Office of Information Security received a reported phishing message that contains a dangerous credential phishing scam. This malicious email states that there is a document available in OneDrive, but that the recipient will need to follow a link in the email to sign in and see it. Unsuspecting victims who type their credentials into […]

INFOSEC ALERT: Social Security Vishing on Campus

Our office received a report of a vishing (fraudulent phone call) attack targeting a WashU student. In the attack, the caller claimed that the student’s social security number had been associated with overseas drug-trafficking activity.  Another popular Vishing campaign involves impersonating support personnel from companies like Apple or Amazon. In this scam, the attackers call […]

InfoSec Alert: Cybersecurity Attacks Targeting US Healthcare Systems

During the week of October 26, multiple federal agencies notified Washington University of a credible cybersecurity threat to US health care providers. This threat has impacted several hospitals across the country within the last few days, and intelligence officials suggest several hundred more may be targeted in the near future. Washington University has a dedicated […]

PHISHING ALERT: Malicious Email Indicating New Payroll Approvals Required

The Office of Information Security has identified a phishing threat in which the sender indicates new payroll approvals are required. This is a malicious email attempting to get users to follow a link to a fake login portal. Any user information that is entered in this fake portal will be captured by the criminals as […]

Revised and Updated Policies 2020

The Washington University Office of Information Security maintains a sustainable information security program supporting the vital work of education, research, and clinical care while also protecting our systems and users’ security. We can only achieve strong information security for all if we each take personal responsibility for ensuring our systems’ security. We continuously improve our […]

PHISHING ALERT: Malicious Email Indicating Password Expiration

The Office of Information Security has received reports of malicious emails indicating that users need to follow a link to change their passwords. This email is a fraudulent message attempting to obtain personal information from unsuspecting victims. The criminals behind this effort are hoping to trick users into following a link in that email, then […]

PHISHING ALERT: Tech Support Scams (Vishing)

The Office of Information Security has observed a recent uptick in ‘tech support scams’ that attempt to trick unsuspecting victims into calling a fake customer-support number to discuss alleged problems with their devices or services. How do customer service scams work? These scams often closely mimic actual support pages and contact information to fool unsuspecting […]

UPDATED: Security Threats Targeting COVID-19 Researchers

Law enforcement and government agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), have issued warnings about criminal activity targeting COVID research. Below, you will find links to relevant guidance and announcements about this threat. FBI director says China seeks to compromise U.S. firms researching coronavirus – WaPo […]

Tax Deadline Extension and Phishing Scams

As a result of the COVID-19 pandemic, the deadline for filing state and federal tax returns is postponed until July 15, 2020. As the deadline approaches, we want to make you aware of the more common tax fraud scams that our office sees each year. We have also compiled some helpful resources to assist you […]

PHISHING ALERT: Malicious Email with Voicemail Attachment

The Office of Information Security has received reports of a malicious email stating that users have a new voicemail. This message includes an attachment that appears to be the content of the voicemail message. Upon clicking on the attachment, the recipient is redirected to a fake login page requesting their password. Recipients who enter their […]

PHISHING ALERT: Email Threatening to Reveal Personal Information

The Office of Information Security has identified a phishing threat in which the sender indicates they have compromising information about the recipient, offering as proof a plaintext password that may look familiar to the recipient. These passwords are NOT an indication that the sender has access to any special information about you. They are simply […]

Avoiding Exposure to Ransomware

adapted from original post by Trisha Clay, EDUCAUSE Ransomware is scary. Such an attack could make it impossible for you to retrieve documents on your computer. So, how do you protect yourself from ransomware? One of the best ways to protect yourself is to create a good backup of your critical data. These backups should […]

PHISHING ALERT: Malicious Email Attachments

The Office of Information Security has identified a trend in which malicious emails include attachments (e.g. .doc or .xls) that, when opened, instruct users to “Enable Content” to view “active content” that has been disabled. These attachments often contain something with a name referring to something financial in nature like “Transaction,” “Invoice,” “Payment,” or “Payroll”. […]

PHISHING ALERT: COVID-19 Benefit Payment

The Office of Information Security has received reports of phishing on our campuses involving supposed payments related to the COVID-19 pandemic. This specific criminal activity involves telling users that they can obtain a payment (in this case from ‘Google Technology Company’) as part of a “package” that is “earmarked for” people who have been directly […]

PHISHING ALERT: “Outstanding Payment” Excel Attachment

The Office of Information Security has received reports of a phishing attempt targeting members of our institution. This particular phish involves telling the recipient they are owed an “outstanding payment,” then attaching an Excel spreadsheet with malicious software (malware) hidden in macros. The body of the email often provides the recipient with a ‘password’ for […]

Social Engineering and the “Gift-Card Scam”

adapted from original post by Trisha Clay, EDUCAUSE Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources. When someone you don’t know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, […]

UPDATED: Cyber Attackers Exploit Vulnerabilities amid Surge in Remote Work

As we transition to remote work in response to the coronavirus pandemic, cyber attackers seek new opportunities to exploit unsuspecting users. Reports of ransomware attacks, phishing attempts, and scam websites are on the rise around the world, especially targeting those who work at universities and medical institutions. While we take our work to our home […]

COVID-19: Fake Online Coronavirus Map Delivers Malware

A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet waiting for unwitting internet users to visit the website. Visiting the website infects the user with a Trojan, an information-stealing program. It is likely being spread via infected email attachments, malicious online […]

InfoSec Alert: Email Attacks

Increase in Email Attacks The Office of Information Security has received increased reports of phishing attacks with the sole purpose of stealing and using login credentials to access University email accounts. When the attackers gain access to an email account, they can download the contents of the mailbox and/or send out spam in an attempt […]

Phishing Alert: Fraudulent Student Job Offer

The Office of Information Security has received several reports of a phishing attempt using a compromised email account to solicit personal information in response to a fake job offering. This fraudulent email requests that recipients reply with an “alternative email address” and “direct cell phone number” to receive additional information about the position. Recipients who […]

Revised and Updated Policies 2019

The Washington University Office of Information Security strives to build a sustainable information security program that supports the vital work of education, research, and clinical care while also protecting the security of our systems and users. Information security is important to every member of our community, and we all share personal responsibility for ensuring the […]

External Email Notification Helps Identify Phishes

In the coming weeks, we will introduce a new feature in our email system that will notify users of emails originating from outside of the university. This change is being made to make it easier for everyone at our institution to identify phishing emails. Phishing attacks are on the rise, and often employ multiple methods […]

Security Alert: Phone Call Phishing – April 9, 2018

ALERT: Phishing phone calls DETAILS: It has been reported that people claiming to be with the WashU IT Help Desk are calling in an attempt to extract personal and/or password information. ACTION: Do not provide anyone your password. Please keep your passwords private to protect yourself and the security of our network. If you have […]

Security Alert: Office 365 Email Phishing on Campus – October 3, 2018

Risk: High Details: The Information Security Office has received reports of phishing emails purporting to be from BJC personnel, however, the email addresses are being spoofed and used against Wash U. The phishing samples have had infected DOC files attached referring to Outstanding Invoice or Balance Discrepancies. Action: Do not try to open any suspicious files you were […]