Dear UMBC Community,

It has come to our attention that a new wave of a popular scam has emerged. Scammers are impersonating faculty or someone with a high degree of trust among the community. In some cases, this may appear to come from a UMBC account.

The scam usually begins with a story of someone with a few high-value items going through a rough patch of life. The story claims that the person lost a loved one who owned high-value items or is relocating and has to empty their apartment of valuable items ASAP. They go on to "generously" offer those high-priced items for FREE!

These items can be an expensive digital camera, a pricey violin, a collector's guitar, or a cherished baby grand piano. But it wouldn't be a scam if there wasn't a catch. The scammers only ask you to cover the shipping costs for delivering the items to your location. They generally ask that you contact them outside of the UMBC.edu domain, either via email or phone. Once an external contact is established, scammers build rapport and ask for personal information, such as mailing addresses, to process a "shipping fee."

Once a payment is made to scammers, users are generally ghosted and calls/texts go unanswered. If you believe you have been a victim to such a scam, please contact law enforcement for assistance.

Be vigilant and look for the following signs:

• A story that is too good to be true ("granny was a musical prodigy and we are giving away her collection for free!")
• Urgency in communication ("items are only available to the first person who reaches out!")
• Moving to outside platforms ("text me on my cell number!")
• Unusual request for personally identifiable information ("What's your mailing address?")
• Financial requests that are not secure or traceable ("send me the money via a digital wallet!")

For more information about this, please refer to these resources: 

1. How can I identify phishing?
2. How Can I Avoid Identity Theft?

If you suspect a phishing or scam attempt, do not reply, click any links, open any attachments, or provide your information. Instead, forward the email immediately to the security team at security@umbc.edu. Your report helps protect everyone!

Thank you all for your continued awareness and assistance in keeping our community secure.

Cybersecurity Assurance and Digital Trust
UMBC Division of Information Technology (DoIT)

Dear UMBC Community,

Imagine a stranger secretly using your home internet or your laptop to hide their tracks. Recently, security experts have found that certain apps are doing exactly that! They are secretly turning personal devices into "digital masks" for cybercriminals. 

When you download a seemingly harmless app, it may contain hidden code that shares your internet connection with a global network of hackers. This makes their activity look like it is coming from your device and our campus.

How to spot strange activity on your device:

Your device might be working for someone else if you notice: 

• Performance Issues: Your phone or laptop suddenly runs slowly, gets hot for no reason, or has a battery that dies much faster than usual.
• High Data Usage: You see a massive spike in your internet data usage that you can't explain. 

Tips to keep your tech private: 

• Look Before You Click: Even in official app stores, check the reviews. If a simple app (like a flashlight or a calculator) asks for permission to access your files, contacts, or location, it's a red flag. 
• Beware of the "Too Good to Be True": Be skeptical of "cracked" software or free versions of paid apps. They often come with a hidden "tax" on your security. 
• Cheap Smart Tech: Very inexpensive "Smart Home" or Internet of Things (IoT) devices often have weak security, making them easy targets for hackers. 

What to do if you suspect trouble: 

If your device is acting strangely or you receive a suspicious email, do not click any links. Please forward any suspicious emails to the security team at security@umbc.edu.  

If you suspect a phishing or cybersecurity attempt, do not reply, click any links, or open any attachments. Instead, forward the email immediately to the security team at security@umbc.edu. Your report helps protect everyone!

Thank you all for your continued awareness and assistance in keeping our community secure.

Cybersecurity Assurance and Digital Trust
UMBC Division of Information Technology (DoIT)

Hello UMBC,

Cybersecurity isn't just a task for IT, it's a 24/7 commitment for our entire community. To help you navigate the ever-changing digital landscape, we are excited to launch the first edition of our cybersecurity newsletter.

In this inaugural issue, we dive into:

• Phishing Defense: How to spot "too good to be true" offers and urgent scams.
• Travel Safety: Keeping your data secure while researching or vacationing abroad.
• Latest Threats: Why you should be wary of TikTok scams and "Quishing" (QR code phishing).
• Policy Updates: Key changes to UMBC's Acceptable Use and Data Protection policies.

Read the newsletter attached!

Remember: If an email feels "off," it probably is. Forward suspicious messages to security@umbc.edu and help keep our campus secure.

Stay smart and stay safe!

 - Stacy Cahill

Chief Information Security Officer

University of Maryland, Baltimore County

Hello UMBC Community!

Join us today from 12:00 to 1:00 pm in the breezeway near the Commons to learn more and receive giveaways! We have a f(ph)ishing game and Swedish fish.

As part of Cybersecurity Awareness Month, we want to highlight a new tactic cybercriminals are using called ClickFix. This attack disguises itself as an error message or system alert that looks like it comes from your operating system. The message then instructs you to copy and paste a command into your terminal or command prompt.

Please remember:

1. Never copy or paste commands from a pop-up window or website.
2. If you see a suspicious alert, close the window or browser tab immediately.
3. Report the incident to security@umbc.edu right away so we can investigate.
4. If you have already entered a command, disconnect from the internet and stop using your device until security reviews it.

ClickFix relies on tricking users into taking action. By staying cautious and reporting anything unusual, you help protect both yourself and our organization.

Report the event to the security team at security@umbc.edu. Your report helps protect everyone!

Thank you for staying vigilant and keeping security a priority.

Hello UMBC Community,

We rely on Duo two-factor authentication to protect our accounts, and it's an excellent defense. However, cybercriminals are always looking for new ways to get past our security. This week's topic is all about what to do if you receive a Duo push notification you didn't initiate.

You're working on your computer, not logging into anything new, and suddenly your phone buzzes with Duo push notifications, including SMS texts or phone calls from Duo. What's happening? This is likely an attacker who has obtained your password and is attempting to bypass Duo to access your account.

Your immediate action is critical.

• Do NOT Approve It: The most important thing is to never approve a Duo push notification you did not initiate. Approving it will give the attacker access to your account.

• Deny the Request: Decline the request on your phone.

• Report as Fraudulent: If you can, mark the notification as fraudulent.

• Change Your Password: Immediately change your password on a trusted device or computer. This will invalidate the password the attacker is using.

Remember, a Duo push notification is like a digital handshake. You must be the one to initiate it. If someone else is trying to shake your hand, don't approve the connection!

If you received a Duo push notification you did not initiate, deny the request, change your password, and immediately report the event to the security team at security@umbc.edu. Your report helps protect everyone!

Stay safe out there.

Hello UMBC Community,

In the digital world, Phishing is one of the most used forms of cyber trickery where attackers impersonate trusted sources to deceive you into handing over credentials or personal information. These attacks come in various forms. Learning about them will help you not fall victim to those emails.

Phishing attacks are emails that may look like important messages but are actually crafted by cyber criminals. The good news? With the right knowledge, you can foil their tricks and keep yourself and UMBC safe. These are some tips on how you can recognize phishing emails:

1. Requests for Your Password: UMBC will never ask for your password. Never submit your password on Google forms or Monday.com forms. Your password is for your eyes only!

2. Unexpected Calendar Invitations: Watch out for calendar invites from unknown senders. Delete them and never click suspicious links inside.

3. Fraudulent Offers: Be wary of unsolicited offers for gift cards or jobs that are too promising. Do not send your personal or financial information to anyone who requests it over email or text. Real job postings are on Handshake only!

4. Unexpected Attachments or Links: Did someone send you a weird file or link you weren't expecting? Is a link in an email suspiciously short or strange-looking? If it feels off, don't click or download it.

5. A Sense of Urgency: Phishing emails often try to rush you into action, like claiming your account will be "deactivated" if you don't click a link immediately. Always be suspicious of urgent, high-pressure requests.

6. Poor Grammar and Spelling: While not always a giveaway, many phishing emails contain noticeable spelling errors or awkward phrasing.

What to do if you get a suspicious email:

If you suspect an email is a phishing attempt, do not reply, click any links, or open any attachments. Instead, forward the email immediately to the security team at security@umbc.edu. Your report helps protect everyone!

Stay vigilant, and together we can keep our digital environment safe.

Catch a "Fish"!