Security Matters

Along with the holiday season comes the imminent arrival of new cyber security scams. These annual scams are socially engineered to manipulate a generous spirit, festive cheer and the high-anxiety of holiday shopping into lucrative privacy leaks and data breaches.

The Better Business Bureau (BBB) reports that spoofed websites, fake shipping notifications, festive e-cards, travel scams and targeted cyber attacks against seniors are among the 12 most common privacy-compromising schemes of December 2018. Users must take additional precautions and pay special attention to emails that offer free gift cards, attachments from unfamiliar or unexpected recipients, sudden requests for money from family members and deals that seem too good to be true.

BBB warns that seniors remain vulnerable to cyber security attacks, and the ‘grandma scam’ is particularly common during the holiday season. If a senior receives a desperate request for money by someone claiming to be a relative, he or she should contact family members directly to verify the claims.

Other precautionary advice includes:

• Shoppers double-check who they are purchasing from, as many holiday phishing attackers are expert at imitating authentic brands.
• Before opening any email links, ensure that the ‘from’ address and link URLs are secure and consistent with the official domain of the stated company. Email users should hover their mouse over the displayed hyperlink or webpage link to verify the destination URL.
• Remain wary of email attachments or links from alleged shipping companies or unverified e-card companies. Legitimate businesses would never request that you enter your personal information to view content. Treat all links and attachments as suspicious email content until proven otherwise.

For more resources on how to keep your information secure this holiday season, visit securitymatters.utoronto.ca.

Following a Nov. 9 cyber security incident, last week Dell announced it is resetting all customers’ passwords. The unauthorized activity detected by Dell involved an attempt to steal customer information, including names, email addresses and hashed passwords.

The initial investigation found no evidence that the hackers succeeded to extract any information. However, Dell decided to reset all customer account passwords as a countermeasure. Therefore, if one of your online accounts shares a password with a Dell account, it is wise to change that password as well.

Dell has not disclosed the number of accounts that were affected, but did confirm that payment information and social security numbers were not compromised.

Visit securitymatters.utoronto.ca to learn more about how to stay safe online and detect phishing emails.

On Nov. 16, University of Toronto (U of T) staff reported suspicious emails sent from accounts belonging to University administrators. The emails contained a request for recipients to purchase gift cards with their personal credit card with reimbursement promised in the near future.

The emails were “spoofed” – meaning the display name and domain URL were disguised to appear to originate from a senior executive at the University. This year, there has been a noticeable increase in these types of phishing attacks. To avoid falling victim to these types of cyber crimes, always follow up in person or by phone in regard to a request that is unexpected, urgent and/or atypical of your day-to-day interactions.

Examples of similar phishing attacks at the University include emails from:

• A company named Xero asking for invoice payment.
• Netflix warning that account information needs to be updated or service will be limited.
• Someone you know asking you to quickly purchase iTunes gift cards.
• Someone you don’t know making an Interac transfer to your bank account.

You can view a collection of reported phishes by visiting the Security Matter’s Phish Bowl.

To report a suspicious email or phishing attack, contact report.phishing@utoronto.ca.

For more tips on how to stay safe online at work visit our Security Matters blog and check out our tip sheets.

Over the past two years, Information Technology Services (ITS) and the information security and enterprise architecture (ISEA) team have held a variety of outreach events to educate the University of Toronto audience about information security. This opportunity to connect with the community one-on-one and in-person is key and often results in event attendees sharing their own information security-related experiences and questions.

While hosting pop-up booths we heard from many students who were victims of social media fraud. One student told us her face was photoshopped to another woman’s body and used as a profile picture on an active Twitter account. Even though the account was taken down after she reported the incident, the student was left wondering who had done this and why they would want to steal her image in this way. In instances like this, do not hesitate to report the incident or user to the social media platform — you have a right to your image and identity. To learn more about safe social media practices, visit our resources page.

In one of our recent panel discussions, a senior systems administrator shared how he fell victim to a phishing scam. He described to the group that normally he would check the sender’s email address before replying to or engaging with any unusual emails. Unfortunately, in this case, he was using an unfamiliar iteration of Outlook (the Android app) and he wasn’t able to easily check the sender’s address. Without thinking, he clicked a link in an email and entered his credentials on the corresponding landing page. He quickly realized his error and acted fast to change his UTORid password.

After hearing so many stories of fraud, phishing attempts, compromised credit cards and more, it’s clear that a listening ear is still the best way to get people to open up about their experiences with information security.

We’d like to hear from you, if you have an information security story you would like to share please contact us at its.eda@utoronto.ca.

It’s important to pay attention to what you’re installing on your mobile device and the kind of permissions you enable, especially when granting access to your microphone or camera.

You should audit your phone regularly to verify that your apps only have access to the parts of your phone they need in order to function. You may even want to consider deleting some apps since studies show that out of 160,000 free Android apps more than 55 per cent of trackers tried to extract user location, while 30 per cent accessed the device’s contact list. A 2015 analysis of 110 free iOS mobile apps revealed that 47 per cent shared geo-coordinates and personally identifiable information with third parties.

After installing an app, you’re typically asked for permission to access specific hardware and software on your phone in order to function. Many apps ask for permission to access private channels, such as your camera, contacts, microphone, text messages and external storage.

To check and modify your Android phone’s app permission settings, go to “settings” then “apps” and then use the top-right dropdown menu button to select “app permissions.”

For iPhone users, simply navigate to “settings” then “privacy.” From here, you can view a list of your phone’s apps. Tap on any app to bring up a list of its permissions. Click the toggle next to each permission to enable or disable access.

Learn more about how to stay safe online and other related information security news.

To help you distinguish between typical vs. potentially risky access permissions, view the list below.

Normal permissions refer to typical mobile phone functionality, while dangerous permissions can intrude into your day-to-day interactions. For example, a game may request access to your calendar or contact list, despite their irrelevance towards functionality, so it’s important to deny these requests.