With the Universitywide transition to online teaching and remote work, many students, faculty and staff may be working from offsite locations for the first time. While telecommuting has advantages, it also introduces new or heightened security risks you should be aware of.
Verify the source of communications and services
Cybercriminals have created new scams to take advantage of the unease surrounding the coronavirus (COVID-19). They may send phishing emails with malicious attachments or links to fraudulent websites, trying to trick targets into revealing sensitive information or donating to fraudulent charities or causes. Some have created fake mobile apps purporting to provide information about outbreaks, when they actually just install malware on the device. We encourage everyone to remain vigilant and take the following precautions:
- Exercise caution when handling any email with a COVID-19-related subject line, attachment or hyperlink.
- Be wary of social-media pleas, texts, or calls related to COVID-19.
- Avoid clicking on links in unsolicited emails and be wary of email attachments.
- Use trusted sources such as legitimate government websites for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for such information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Vet mobile apps before installing them. New apps with only a few or no reviews, or whose developer hasn't made any other apps, may not be trustworthy.
- Continue to visit msudenver.edu for all University communications, as well as current guidelines, policies, and prevention measures.
Additionally, scammers may attempt to take advantage of remote workers by pretending to be a supervisor or colleague and sending messages that ask their target to reveal University information or make a purchase on their behalf. This is similar to the “gift-card scam” seen at the University in the past, and the techniques to combat it are the same:
- Always vet the source of a suspicious email; while the display name or signature may appear to be your supervisor’s, the e-mail address (which some mail apps hide by default) will typically belong to an external provider such as Gmail or Yahoo.
- Be diligent in determining whether the request is real and how you should respond.
- Do not be afraid to contact your supervisor to verify a request.
As always, if you believe you have received a phishing email, please report it using Microsoft's internal reporting tools. The exact method will vary depending on how you access your email:
- Outlook Web App (email.msudenver.edu):
- Right-click the offending email
- Select “Report”
- Select “Report phishing” or “Report junk” as appropriate
- Outlook Mobile App
- Highlight the offending email
- Tap the three dots in the upper-right
- Select “Report Junk”
- Select “Phishing”
- Outlook Desktop App (Windows or Mac)
- Open the offending email (double-click to open in a new window)
- Click the Report Message button in the top ribbon
- Open the offending email's context menu (right-click or double-click)
- Select "Junk" (Windows) / "Report" (Mac)
- Select a reporting option as appropriate
If you do not have these reporting options on the desktop app, please see How do I install the Report Message Add-In for Outlook?
Secure your Devices
Make sure your devices are secured when working from coffee shops or other remote locations. While your devices should be with you at all times, if you need to pick up your coffee or walk around the table to plug in an adapter, make sure to lock your screen so your data will be secure if someone tries to take a picture of the screen or run off with the device. Your devices should never be left unattended and unlocked.
Make sure your devices are receiving regular software and security updates. Don't use insecure or out-of-date devices to connect to MSU Denver resources. This includes devices running unsupported operating systems, such as Windows 7, macOS 10.11 (El Capitan), or older. Connecting with such devices can put University systems and services at risk.
All MSU Denver laptops have encryption software, so as long as the device is locked or turned off, the hard drive will be unreadable and protected if a malicious user attempts to access the hard drive directly. If you have any concerns about the encryption software or believe it may not be enabled, please contact the ITS Service Desk.
Be responsible with Personally Identifiable Information
Personally Identifiable Information (PII) consists of a combination of name, Social Security number, address, birthdate and anything else that, when combined, could be used to impersonate an end user. General best practices for working with PII while remote are listed below, but please contact your supervisor for your department’s best practices as well.
- PII should never be sent via e-mail, text or instant message.
- PII should never be stored on personally owned computing devices.
- PII stored in OneDrive or SharePoint should have retention rules to make sure the data is deleted once it is no longer needed.
- PII stored in OneDrive or SharePoint should have sharing rules to make sure the data is available only to people who are authorized to view it and need to use it.
- If there are any concerns with the security of your OneDrive or a SharePoint site being used, please reach out to the Service Desk for help with permissions.
If it is required to send or receive PII electronically, it is recommended this information be sent through Liquid Files. If you do not have access to Liquid Files, please submit a LiquidFiles account request.