Potential Risks with Email and Internet
a. Spam, or junk mail, is any unwanted email sent to your Inbox. Most spam is sent to advertise a product, service, or event, and although it is annoying and time-consuming to have to sift through and delete these emails, they are otherwise harmless. However, some spam can bring more serious consequences (e.g. Phishing).
i. Pace students/staff/faculty email accounts utilize an email filtering service called Exchange Online Protection (EOP). For more details on how EOP works, visit the SPAM Control: Exchange Online Protection (EOP) page.
b. Phishing is the attempt to acquire personal information through electronic communication by masquerading as a legitimate entity, such as a trustworthy company, organization, Website, or online service. Phishing is mainly done through phony emails and Websites, meant to look like the real thing, but it can take other forms. The goal is to fool the recipient into providing personal information, which can include usernames, passwords, credit card numbers, social security numbers, and other sensitive information.
Some phishing emails try to make you think that your account, password, or credit card, etc., has been compromised to get you to react quickly by following the directions in the phishing email. For example, you click a link provided in the email and go to their fake Website, where you enter your account information and/or provide your personal information. Cybercriminals can then use the supplied information to steal your identity, access your online/bank accounts, etc.
i. Ignore/delete unsolicited emails and do not click on any attachments, links, and forms in them, especially when sent by unknown senders. If you know the sender, but have any doubt, verify separately with them whether they sent the email in question and whether it is safe to click the link, attachment, or form. For emails that ask you to click a link to go to the “company’s Website” to log in and/or confirm information, open up a separate browser window instead and type the legitimate Website address yourself. Check on the Website for any announcements about phishing attacks. In some cases, you may need to call the customer service number or a company directly to verify the validity of the suspicious email. If you determine that a website is legitimate, make sure it encrypts your data by using SSL (Secure Socket Layer). When SSL is in use, a lock icon will appear somewhere on your browser. However, even SSL can be spoofed, by using incorrect certificates. If you get a dialog box asking to install a certificate, confirm that the certificate is signed by a trusted source, such as Thawte or Verisign. If it is not, or if it is self-signed, contact the Website owner through other means, like a phone call.
Do not provide your personal information via email. Reputable companies, including Pace University, will never ask for your personal information via email. Lastly, don’t visit untrustworthy Websites or download unevaluated freeware or shareware.
More on Web Form Services and Phishing…
Report phishing scams to the US-CERT, at www.us-cert.gov/nav/report_phishing.html. The US-CERT is collecting phishing e-mail messages and website locations so that they can help people avoid becoming victims of phishing scams.
If you see a phishing attack that specifically targets the Pace University community, please contact:
Pace Help Desk:
If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at http://www.antiphishing.org/resources/overview/.
- Avoid Getting Hooked by Phishers - National Consumers League's Internet Fraud Watch
- How Not to Get Hooked by Phishing - FTC
- Anti-Phishing Working Group
- Spoofed/Forged E-mail- CERT
- URL Redirection
- Phishing IQ Test
c. Malware (short for "malicious software") is any kind of harmful software that is installed without your adequate consent or knowledge and usually includes computer viruses, worms, trojan horses, and spyware. Cybercriminals sometimes try to trick you into downloading fake security software that claims to protect you against malware. This phony security software will actually install malware on your computer, ask you to pay for a fake product, or steal your personal information. Avoid visiting unfamiliar Websites that offer free software, especially free antivirus software. Pace University offers faculty, staff, and students a free download of antivirus software provided by Microsoft. This antivirus program can be downloaded from the ADAM page.
i. Computer Viruses are small software programs, which are designed to spread from one computer to another by attaching themselves to an existing program or file. They rely on unsuspecting people to activate them by opening the infected file or running a program containing the virus, thereby infecting other computers in this way. An infected file or program can be transferred via an external device, such as a USB flash drive or as an email attachment, and can significantly affect computer operation. For example, some viruses can modify, corrupt, or delete data on your computer, use your email program to propagate themselves to other computers, or even erase everything on your hard disk.
To help avoid computer viruses, it's essential that you keep your computer current with the latest updates and antivirus tools, stay informed about recent threats, run your computer as a standard user (not as administrator), and that you follow a few basic rules when you surf the Internet, download files, and open attachments.
Once a virus is on your computer, its type or the method it used to get there is not as important as removing it and preventing further infection.
ii. Worms are similar to viruses, but they are designed to spread over computer networks mainly via email attachments. Once an infected attachment is opened, a worm can immediately replicate itself and send copies to anyone listed in the victim’s address book. Worms can also breach the network security of the victim’s computer, allowing other applications to further exploit it. One common exploit is to install a backdoor to allow the author of the worm to control that computer as part of a larger network of infected computers, or botnet. The computer can then be used by spammers to send junk email without revealing the real source of the spam.
iii. Trojan horses, or Trojans, are files or programs, which appear to be legitimate software and many times perform a useful function for unsuspecting users who download and install the file or software on their computers. However, the malicious code contained in Trojans will give hackers remote access to the infected computer and allow them to further exploit it, including using the computer as part of a botnet, installing additional malware, controlling/modifying/destroying files on the computer, monitoring use of the computer by legitimate users, and even stealing personal information stored on the computer.
iv. Spyware is software designed to collect information about users without their knowledge, or control their computer use. It can collect almost any type of data about a user, including personal information, user keystrokes (e.g. passwords), and bank or credit account information. However, spyware can also install additional software, change computer and Internet settings, or redirect Web browsers to other Websites. Spyware programs can be stand-alone applications or embedded in other programs and are usually hidden from users, so they can be difficult to detect. Most spyware is installed when users download free programs, but infection can also happen if the user visits an infected Website.
d. ActiveX controls are small programs, sometimes called "add-ons," that are used on the Internet, but mainly by the Internet Explorer browser and the Microsoft Windows operating system. They can enhance your browsing experience by allowing animation, or they can help with tasks such as installing security updates from the Microsoft Update Website. Some Websites require you to install ActiveX controls to see the site or perform certain tasks on it. When you visit such a site, it will ask if you want to install the ActiveX control. The website that provides the ActiveX control should tell you what the control is for and provide relevant details. Unfortunately, ActiveX controls – like other programs – can also be misused. They can stop your computer from functioning correctly, collect your browsing habits and personal information without your knowledge, or can give you unwanted pop-up ads. Furthermore, "good" ActiveX controls might contain unintended code that allows "bad" websites to use them for malicious purposes. Internet Explorer blocks websites from using an ActiveX control on your computer if the website tries to use it in a way that might not be safe.
To further protect yourself, you should only install ActiveX controls if you trust the Website and publisher of the control and feel comfortable installing it. Generally, if an ActiveX control is not essential to your computer activity, do not install it.
Q: How can I tell if my computer is infected with malware?
A:Your computer may be infected with malware if:
It slows down, malfunctions, or displays repeated error messages
It won't shut down or restart
It serves up a lot of pop-up ads, or displays them when you're not surfing the web
It displays web pages or programs you didn't intend to use, or sends emails you didn't write.
Other signs may include:
- Your browser takes you to sites other than those you type into the address box
- Your home page changes suddenly or repeatedly
- New and unexpected toolbars are installed
- New and unexpected icons in the system tray (at the lower right corner of your screen)
- Keys don't work (for example, the "Tab" key that might not work when you try to move to the next field in a webform)
Random error messages pop up
Q: What should I do if I think my computer is infected?
A: Stop conducting online activities that involve usernames, passwords, or other sensitive information. The spyware could be sending your personal information to identity thieves. Write down the model and serial number of your computer, the name of any software you've installed recently, and a short description of the problem. Your notes will help you give an accurate description to the ITS technician. Immediately report the problem to the Pace Help Desk – Web: http://help.pace.edu, Email: firstname.lastname@example.org or Phone: 914-773-3333.
For a personal computer, if it’s covered by a warranty that offers technical support, contact the manufacturer, your Internet Service Provider (Comcast, AT&T, Time Warner, Verizon, Qwest, Earthlink, etc.), or a trusted computer consultant.