Keeping Information Security Simple – “Denial is not a river in Egypt!” 

Open Letter

Letter from the CISO, Vol 3 Issue 10  Washington University Community:  Criminals keep inventing new con attacks I recently saw a news report about a Mexican drug cartel that has gotten into the business of helping elderly Americans get out of the timeshare vacation contracts. This sounds like a good thing. Unfortunately, it is just […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. Back by popular request, the InfoSec team is assigning the Inside Man as our training competition this March. The Inside Man is a soap opera-style training that covers critical cyber security themes in all its episodes. Watch […]

Reporting Phishing in the ‘New’ Outlook 

The Phish Alert Button (PAB) is one of our team’s most valuable tools for keeping the WashU community safe. When you report a phishing email using the PAB, our office will investigate the threat and take any necessary action, such as removing all similar messages from systems and notifying our community of the danger.  If […]

Scam of the Month: DEA Impersonation Phone Call 

According to Washington University School of Medicine Protective Services, the WUSM Physical Therapy department received a call from someone impersonating the DEA to steal personally identifiable information.  In the call, they claimed to be an investigator from the DEA headquarters, saying that a nurse practitioner had reported fraud under their name, medical license number, and […]

The Power of Virtual Private Networks (VPN) in Privacy Protection 

In the digital age where a lot of our private information is on the internet – in public and supposedly in private storage – ensuring online privacy has become even more integral to protecting your online activity and identity. According to Cobalt’s Top Cybersecurity Statistics for 2024, there are over 2,200 cyberattacks a day (a […]

The Deaf Lottery Scam 

Back in his federal law enforcement days, WUSM’s Assistant Director of Investigations and Crime Prevention, Steve Manley, came upon an advance fee scam. An informant who operated a corner store in East St. Louis called him one afternoon. He told Manley a customer was sending large sums of money to Nigeria via Western Union. The caller […]

Thanks for Making the E-Waste Recycling Event a Success 

On Tuesday, March 26th, the Office of Sustainability and Office of Information Security hosted their biannual electronic waste recycling and secure paper shredding event on the Danforth campus. Thank you to all who supported sustainability by securely recycling their electronic waste and confidential documents. The event was a huge success. In just two and a […]

Keeping Information Security Simple – “Using Code Words to Defeat the AI Menace”

Open Letter

Letter from the CISO, Vol 3 Issue 9  Washington University Community:  Artificial Intelligence is a tool  Artificial Intelligence, or AI, has received a lot of attention and interest over the past year, primarily due to the great advances in productivity and quality it seems to promise. WashU IT is excited to be helping the university […]

New Device Registration Process for the Wired Network on the WUSM Campus

WashU IT, Information Security, and WUSM ITSS are introducing a new registration process for devices connecting to the wired network. This change will further protect patient, student, research, and academic data from bad actors. We will begin implementing this change in early 2024. It will be rolled out in a measured pace to minimize impact […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we’d like to test your knowledge in a fun ‘Phish or Treat’ game.   Phishing    When navigating your email, always be on the lookout for red flags that may indicate that it is a phishing email. […]

Scam of the Month: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE

From: Lexus Scott Subject: RESEARCH ASSISTANT VACANCY FOR UNDERGRADUATE REDEFINED RESEARCH ASSISTANT OPPORTUNITY Washington University in St. Louis Department of Computer Science & Engineering at is looking for research assistants who are willing to work remotely for $350 a week. Students from any department at the university may participate in the study. Text Professor Patrick Crowley at (505) 309-0428 with your full name, email address, department, and year of study to receive the job description and additional application requirements. Many Regards. Professor of Computer Science, Patrick Crowley.

The Office of Information Security has observed a trend in which criminals advertise a job while impersonating a Professor of Computer Science and Engineering. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly enticing if offered employment.  If you see a message like the one below, […]

Security Tips for Spring Break

Dog on beach

Spring Break is right around the corner, and many in the WashU community will be traveling for conferences, studying away, researching elsewhere, visiting family, or just going somewhere relaxing. No matter where you go, your smartphone will undoubtedly be at your side. These handy devices have become our constant companions for just about anything you […]

Keeping Information Security Simple – “New Year’s Resolution – Innovate Your Password Management”

Open Letter

Letter from the CISO, Vol 3 Issue 8 Washington University Community: New Year – New Password Discipline “Password Discipline” certainly sounds like the kind of New Year’s resolution that will be abandoned within 24 hours. But it truly needs to be on everyone’s list. Good password management is critical for protecting yourself, your family, and […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we’d like to cover a phishing tactic that uses your phone as a medium for scammers. This scam is called ‘Vishing.’   Vishing   Cybercriminals are continuously looking for new and unexpected ways to contact you. While […]

Keep Your Information Secure This Tax Season

tax scam words on calculator display with tax forms

Tax season officially begins on January 29, and internet scammers will capitalize on the moment. The Internal Revenue Service initiates most contact through regular mail delivered by the United States Postal Service. Sometimes, they will call or visit, but other than that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social […]

Scam of the Month: COVID-19 Variant Poses Risks in our University 

From: Wustl Health Care Center Subject: Emergency Notice: COVID-19 Variant Poses Risks in our University I trust this message finds you in good health. I am writing to share critical information that impacts the health and safety of our academic community. Regrettably, we have recently received confirmation of a positive COVID-19 variant test result for a member of our university staff. Despite a significant portion of our staff and faculty being vaccinated, it is crucial to acknowledge that certain variants may pose challenges even to those who have received the vaccine. As a precautionary measure, we are actively initiating contact tracing to identify and mitigate potential risks. To assist us in determining whether you have been in close proximity to the affected staff member, we have established a dedicated webpage for your convenience. Please click the following link: [Access Detailed Staff Information] to review specific details about the individual in question. Prompt reporting of any interactions or contact is crucial, as it greatly contributes to the overall safety and security of our community. We understand that this news may be concerning, but please rest assured that our medical team is available to address any questions and provide guidance. You can contact them at [Healthcare@wustl.edu], and they will offer the necessary assistance. Our commitment to your well-being and the creation of a secure working environment remains steadfast. We kindly ask for your cooperation in this matter, as it is vital for our collective efforts to contain the virus and uphold the safety of our community. Confidentiality Notice: This email and its attachments are confidential and intended solely for the recipient. In line with privacy guidelines, we kindly request that you refrain from sharing or forwarding this message. PLEASE AVOID SHARING THIS EMAIL WITH ANYONE. We sincerely appreciate your dedication to our university community, and together, we will navigate through this challenge and emerge stronger. Best regards, Washington University in St. Louis Health Care Center Contact: (616) 526-7052

The Office of Information Security has identified a trend in which criminals send members of our community false COVID-19 contact tracing emails with a malicious link. They hope a victim will click the link and give their WashU credentials. In this scam, hackers use a compromised email address from Brown University to send phishing emails. […]

Duo Exceptions

The DUO Two-Factor Authentication upgrade was deployed on November 20, 2023, to enhance and secure WashU systems and applications access. A smartphone or tablet with the Duo Mobile app installed is required to use this new and preferred verified push method of multi-factor authentication. There are circumstances where you might not be able to download […]

New Digital Guardian Prompt 

Digital Guardian, the data loss prevention software, has been updated to detect and alert when sensitive information, such as Protected Health Information (PHI) or Personally Identifiable Information (PII), is shared to public websites, including Artificial Intelligence sites such as ChatGPT.  We are tuning Digital Guardian to reduce the number of false alerts and enhance our […]

Retirement of Secure WUSM Infosec Bulletin

collaboration

To simplify the critical messages you receive about information security at the university, the Office of Information Security is retiring the Secure WUSM Infosec bulletin. Instead, the content will now be published in this newsletter. That means there will be fewer university-wide emails! Additionally, we are folding Secure WUSM itself into the organization-wide CyBear Secure […]

Keeping Information Security Simple – “Holiday Gifts that Keep on Giving”

Open Letter

Letter from the CISO, Vol 3 Issue 7 Washington University Community: Holidays and the joys of giving and receiving (safely)! As we are in the middle of the holiday season, it’s easy to get caught up in the joyous atmosphere and excitement of finding the perfect gift or the muted pain of receiving an ugly […]

Recent Winners and a Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you during this holiday season. Be sure to read our article on […]

Tips for Traveling and Shopping Safely This Holiday Season 

With Black Friday and Cyber Monday behind us, it can be tempting to impulse buy any remaining discounted items. Before getting caught up in a “while supplies last” frenzy, remember that scammers capitalize on hasty decisions involving payment information. According to the Internet Crime Complaint Center’s (IC3) 2022 report, non-payment and non-delivery scams cost people more […]

Scam of the Month: Charity Scam

Did a charity reach out to you for a donation? Here's how to give safely and avoid a scam: Never donate with a gift card or by wiring money. Credit card and check are safer. Search the charity name online. Do people say it's a scam? Watch for names that only look like well-known charities. Look up a charity's report and ratings: give.org charitywatch.org candid.org charitynavitor.org Ask how much of your donation goes to the program you want to support. Donating through a charitable fundraising platform? Be sure you know where the money is going.

If You Sent Money to a Scammer  Scammers often insist that you pay in ways that make it tough to get your money back. They prefer you wire money through a company like Western Union or MoneyGram, send cryptocurrency, use a payment app, or buy a gift card and give them the redemption code. Regardless of how you lost money to a scam, […]

Meet Your InfoSec Team: Nick Fredrick, GRC Security Analyst 

Nick Frederick on a paddle board with a dog

Nick Fredrick, GRC Security Analyst I, is one of the newest additions to the Office of Information Security. After earning his bachelor’s degree in computer information systems from St. Louis University, Nick interned for our Governance Risk and Compliance (GRC) team, where he was eventually hired as a full-time analyst. Throughout his time at WashU, […]

Protecting against cybersecurity risks with Microsoft 365 A5 security

WashU uses tools from the Microsoft 365 A5 security suite to detect and respond to cybersecurity threats. Most of the tools in the suite are designed to work behind the scenes so that students, faculty, and staff are not interrupted by the security features. Here is a brief overview of Microsoft 365 A5 tools and […]

Elect to Receive Your Tax Documents Electronically

Form W-2 Wage and Tax Statement phrase on the page.

Provide consent to receive electronic delivery of your tax documents by December 31, 2023. This will allow you to receive your W-2 form online as soon as it is available in Workday. You will be notified by email in January when your electronic W-2 form is available. Manage printing elections of your tax forms in Workday and […]

Keeping Information Security Simple – “The Preparedness Paradox”

Open Letter

Letter from the CISO, Vol 3 Issue 6  Washington University Community: Problems in WashU paradise  Sometimes, I think working at WashU is a bit like being in paradise. November is a time to reflect on things we are grateful for, and this includes working in a safe and welcoming culture. But even the Garden of […]

Scam of the Month: Process has begun by our administrator

Our record indicates that you recently made a request to terminate your Office 365 email. And this process has begun by our administrator. If this request was made accidentally and you have no knowledge of it, you are advised to verify your account. Please give us 24 hours to terminate your account OR verify your account Click Here To Verify Your Account Failure to Verify will result in the close of your account.

The Office of Information Security has identified a trend in which criminals send members of our community account termination emails containing a malicious link. They hope a victim will give their WashU credentials in a Google Form. In this scam, hackers use a legitimate WashU email address to send phishing emails. Victims who click the […]

Phishing Resistant Multi-Factor Authentication

Many Duo push notifications

As attackers figure out new ways to get around traditional multi-factor authentication, we must evolve to prevent fraudulent access to our accounts. The next wave of multi-factor authentication will fortify user accounts against phishing attacks. Unlike traditional multi-factor authentication, new approaches incorporate advanced techniques such as biometric authentication, hardware tokens, and push notifications to trusted […]

Security Guidance for Automatic Transcription Services

convert online voice messages into text using neural networks or AI online bot

Many WashU community members create audio and video recordings in research, during meetings, while attending lectures, and in other circumstances. These recordings can be indispensable to a project because they document what was said with perfect fidelity for future reference and analysis. A transcript of the recording is even more helpful, making it easy to […]

Keeping Information Security Simple – “They Keep Raising the Bar”

Open Letter

Letter from the CISO, Vol 3 Issue 5  Washington University Community:  It doesn’t seem fair…  Last month I wrote about how the “right phish at the wrong time can catch anyone.” And this month, despite the fact it is Cybersecurity Awareness Month, we’ve had to deal with a wide range of innovative attacks against us […]

Cybersecurity Awareness Month 2023 Recap

Cybersecurity Awareness Month 2023 is coming to a close. This year, we hosted three webinars, promoted key behaviors to encourage every employee to take control of their online lives, and published weekly newsletters full of original content authored by WashU’s Office of Information Security.  Below, you will find a recap of some of the key […]

Firewall in macOS is available on WashU Macs

On WashU-supported Macs, you can now use firewall settings to turn on the firewall in macOS to prevent unwanted connections from the internet or other networks.  To change these settings in the latest version of macOS, choose Apple menu > System Settings, click Network in the sidebar, then click firewall on the right. (You may need to scroll […]

Stay Safe on Social Media

People using social media reactions.

When using social media platforms, it is wise to be careful about what you post. Cybercriminals can use what you post to entice you into clicking malicious links. Be Careful What You Post Any information you publicly post on social media could be used in a spear phishing attack. Spear phishing is when cybercriminals target […]

Stay Safer with Multi-Factor Authentication

Stay safer with MULTIFACTOR AUTHENTICATION (MFA) How to turn on MFA MFA provides extra security for our online accounts and apps. This security could be a code sent via text or email or generated by an app, or biometrics like fingerprints and facial recognition. Using MFA confirms our identities when logging into our accounts. How to turn on MFA MFA provides extra security for our online accounts and apps. This security could be a code sent via text or email or generated by an app, or biometrics like fingerprints and facial recognition. Using MFA confirms our identities when logging into our accounts. Look for and turn on MFA It may be called two-factor authentication, two-step verification or similar. Confirm Select how to provide extra login security, such as by entering a code sent via text or email or using facial recognition.

We encourage you to turn on multi-factor authentication for every online account or app that offers it. As time goes on, more websites and applications will offer multi-factor authentication, but it might not be turned on by default. Here are some guides on how to enable it for popular services:

Password Managers 

passwords written on sticky notes

Password managers are apps, browser plugins, or programs within your browser. They store your passwords in a vault and lock the vault behind a “master password.”  It is safe to replace your password notebook  Even though password managers are the best way to safeguard your passwords, you might worry that storing every password in an […]

Weak Passwords

Weak PASSWORDS are the most common way online criminals access accounts. Strengthen Passwords with Three Simple Tips. Using strong passwords with the help of a password manager is one of the easiest ways to protect our accounts and keep our information safe. Make them long. At least 16 characters—longer is stronger! Make them random. Two ways to do this are: Use a random string of letters (capitals and lower case), numbers and symbols (the strongest!): cXmnZK65rf*&DaaD. Create a memorable passphrase of 5-7 unrelated words: HorsPerpleHatRunBayconShoos Get creative with spelling to make it even stronger. Make them unique. Use a different password for each account: k8dfh8c@Pfv0gB2 LmvF%swVR56s2mW e246gs%mFs#3tv6. Use a password manager to remember them.

Let a password manager do the work! A password manager creates, stores and fills passwords for us automatically. Then we each only have to remember one strong password—for the password manager itself. Search trusted sources for “password managers” like Consumer Reports, which offers a selection of highly rated password managers. Read reviews to compare options […]

Creating Strong Passwords

Using ChatGPT Hardware to Brute Force Your Password in 2023

When guessing passwords, hackers start with the most common passwords. According to research by NordPass, the top 10 passwords from 2022 are: Are any of your passwords on this list? Creating, storing, and remembering passwords can be an inconvenience for all of us online. Still, the truth is that passwords are your first line of […]

October 20: Microsoft applications may require users to reauthenticate

Mark your calendar Microsoft applications may require users to reauthenticate On the evening of October 20, WashU IT will enhance the university’s cloud-based Microsoft services. As a result, users may see authentication (login) prompts on Microsoft applications such as Teams, Outlook, Office, and OneDrive on their devices. These prompts are expected. Completing the WUSTL Key […]

Install Software Updates to Fix Security Risks

Update Software Promptly for Safety When we see an update alert, many of us tend to hit “Remind me later.” Think twice before delaying a software update! Keeping software up to date is an easy way to stay safer online. To make it even more convenient, turn on automatic updates! Turn on automatic updates Look in the device’s settings, possibly under Software or Security. Or search the settings for “automatic updates.” Watch for notifications Not every update can be automatic. Devices— mobile phones, tablets and laptops—will usually notify us that we need to run updates. It’s important to install ALL updates, especially for web browsers and antivirus software. Install updates as soon as possible When notified about software updates, especially critical updates, install them as soon as possible. Online criminals won’t wait so we shouldn’t either!

Why it’s so important to update promptly If a criminal gets into a device through a security flaw, they will look for personal information and sensitive data to exploit. Technology providers issue software updates to “patch” security weak spots as quickly as possible. If we don’t install them, they can’t protect us!Software updates can also […]

Unexpected Emails 

Alert message laptop notification

Many of us receive a steady flow of emails every day, including bank statements, order confirmations, or sales promotions. To keep up, you may look through your inbox as quickly as possible—but do not forget to stay vigilant. Cybercriminals take advantage of haste and send dangerous, unexpected emails.  Unusual Account Activity Detected  One of the […]

Spot the Fake Login

Can you spot the fake login?

Scammers can create fake login screens that are strikingly similar to legitimate ones. One of the login screens pictured above is our true WUSTL login screen, and the other is an imitation from a real scam. Can you spot the difference? To make this more challenging, we’ve cropped out the URL from each login screenshot. […]

Unsafe Email Attachments

In addition to using WashU email for work, most people use email in their personal lives, too. You can get an email from your aunt with her stew recipe or an email from your boss about an office party. But what if the email isn’t actually from your aunt or boss? Cybercriminals often pretend to […]

What are AI Chatbots?

What are AI Chatbots? They are computer programs that are trained to understand and communicate with human language to answer user questions and generate automatic responses in the form of a conversation. What are five essential security tips I should keep in mind when using an AI chatbot for work purposes? 1. Only Use Organization-Approved Chatbots: Before using an AI chatbot, verify it has been approved by your organization. 2. Be Mindful of Privacy and Intellectual Property Risks: Never share organizational, personal, or sensitive information when using AI chatbots. 3. Verify Accuracy of Information: Research the information using other trusted sources, instead of solely depending on chatbot information. 4. Stay Vigilant to Phishing Attempts: These are messages or requests from chatbots that try to trick you into providing sensitive data or opening a suspicious link. 5. Keep Updated on Emerging Security Threats: Stay informed about online safety when using AI chatbots. Do you have any other advice to keep me safe in the digital world? Trust your instincts, and don’t hesitate to seek advice or report suspicious activities to the appropriate authorities. Remember these tips to have a safer and more informed experience when interacting with AI chatbots.

For more information about using generative AI at WashU, please visit Generative Artificial Intelligence (AI) – Information Technology (wustl.edu).

Google Yourself

Search box, SEO search engine optimization or finding website from internet, online job or career opportunity concept, woman working with computer laptop on search box with magnifying glass button.

With the internet and social media, it can be difficult to avoid sharing personal information online. Having an online presence can be valuable, but sometimes sharing personal information is risky. If you want to know what information about you is online, Google yourself. Your Search Results If you Google your name, you may find public […]

Revised and Updated Policies 2023 

The Washington University in St. Louis Office of Information Security supports education, research, and clinical care by protecting systems and data for everyone at our institution. Information security is essential to every member of our community, and we all share personal responsibility for ensuring the security of our systems. We continuously improve our systems and […]

Keeping Information Security Simple – “The Right Phish at the Wrong Time Can Catch Anyone”

Open Letter

Letter from the CISO, Vol 3 Issue 4 Washington University Community: How likely are you to click? A few years ago, I advised a company to conduct its first email phishing simulation, otherwise known as a “phish test.” The systems administrator enthusiastically crafted a test message that used a logo from the company’s website, included […]

October is Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The Office of Information Security is proud to champion this online safety and education initiative this October.  All month long, we are promoting these key behaviors to encourage every employee to take […]

Learn About Cybersecurity and Win Big This October

Trophy with five stars

The Office of Information Security is running a competition throughout October for Cybersecurity Awareness Month! WashU staff, faculty, and students can submit several entries to win up to $1,000 in BearBucks.   Beginning September 28th, we will release three episodes of “The Inside Man,” a soap opera-style training that covers critical cybersecurity themes. Every Friday until […]