Why Cyber Security Awareness is Important
Welcome to college! Got your digital armor? You may want to suit up. Because of all the personal & proprietary data they collect, universities are easy marks for cyber marauders. In Symantec’s 2016 Internet Security Threat Report, the education sector was ranked #2 in the number of cyber security breaches by industry.
Student email accounts, shared computers, and internal networks have all been targets in the past. Add vulnerabilities in the Cloud, mobile, and the Internet of Things, and you can understand why the list of colleges in the PrivacyRights.org Data Breaches database keeps on growing.
Another campus challenge? Life on the internet. Social media and websites have become particularly rich sources of info for trolls. According to an Online Harassment 2017 report by the Pew Research Center, 67% of 18- to 29-year-olds have been the target of cyber harassment; 21% of women in this age group reported being sexually harassed online. Even university sports & club websites can be mined for specifics.
These stats and stories aren’t meant to scare you (well, maybe a little). They’re meant to prepare you to defend yourself. In the guide below, we cover some of the most common cyber security attacks you’ll encounter on campus and what you can do to fight back!
Campus Thefts & Scams
When You Don’t Secure Your Laptop & Mobile
You’re working on a bear of a project. It’s late. You’re starving. You dash out to the communal kitchen to grab a snack and come back a minute later to find your laptop missing. There goes your life…
According to U.S. Department of Education data, theft of personal property was the most common crime on college campuses in 2015. It takes seconds for thieves to grab a mobile off a table or a laptop from a library desk. So don’t give ’em the chance!
- Lock your dorm room.
- Do not store your laptop in a car – that’s prime territory for criminals. Take it with you.
- Invest in a laptop lock (e.g. anchor lock or laptop cable lock) to anchor your computer to a large, stationary object.
- Register your laptop with the Campus Security office.
- Install laptop tracking software (e.g. Lojak).
- Encrypt your laptop and do not keep personal info (SSN, passwords, etc.) stored in files. Encryption software like BitLocker (for Windows 10) and FileVault (for Mac OS X Lion) provides added security for your files.
- Backup your files on a remote hard drive and a trusted Cloud provider so you have the option to erase your laptop remotely.
We also recommend you:
- Lock your phone screen with at least a 6 digit pin and enable “find my phone” if it is stolen.
- Lock up your physical paperwork (e.g. FAFSA forms, bank documents, tax documents, credit card applications, and anything with your financial info).
- Purchase dorm insurance.
When You Pick Up an Infected Device on Campus
“Antonio” is known as a good guy. He volunteers for the campus food bank and works in the summer at a free medical clinic. When he finds a USB drive dropped on the stairs, he immediately plugs it into his computer to see who owns it. As soon as he does, the USB begins to inject keystrokes that will eventually give a hacker remote access to his computer.
This is a hypothetical situation that Google’s anti-abuse research team tested on the University of Illinois Urbana-Champaign campus. It dropped 300 USB sticks around the area. 98% were picked up. In 45% of cases, folks not only plugged in the devices, but they also clicked on the files.
- Distrust any device – remote drive, mobile, or laptop – that you find on campus.
- Do not open them or put them in your computer; return them to lost property with a note explaining your suspicions.
- Use security software to scan any device given to you, even by a trusted friend.
When You Use a Communal Workstation
Imran Uddin was a University of Birmingham student looking to improve his grades. Using a keylogger – a shadowing device that records keystrokes – he was able to steal staff passwords, access exam grade software, and increase five of his test scores. In 2015, he was sentenced to 4 months of prison.
Keyloggers aren’t the only threat. If you’re working at a communal computer or workstation on campus, you may also be exposed to infected software or files. And you’re leaving traces of your own digital prints (e.g. browsing history) in the system.
- Be super-vigilant – decide if using a communal workstation is worth the risk.
- If you do, do not input sensitive information (e.g. passwords), download dodgy software, visit illegal sites, etc.
Computer & Mobile Vulnerabilities
When You Don’t “Vaccinate” Your Computer & Mobile Phone
In 2017, a variant of the Petya group of ransomware tore through worldwide computers, attacking companies like Merck and Maersk. Hackers were demanding big bucks for the return of a user’s files. When researchers at Talos Intelligence traced the infection back, they determined that it probably began with a falsified software update to MeDoc, a Ukranian accounting system.
Today, hacking is not a question of “if,” but “when.” Your devices are always going to be vulnerable to attacks, but you can take a number of steps to inoculate yourself. Here are some of the top tips experts recommend:
- Always make sure your computer & mobile software is fully up-to-date. Enable automatic updates or go to the software vendor’s website directly.
- Shut down and restart your computer at least once a week to check for security updates.
- Beware of malware and ransomware “updates” that pretend to be legitimate –
hackers are very good at faking the real thing (e.g. anti-virus protection software). Do not install updates from untrusted sources. - Invest in strong virus & spyware protection, even if you own a Mac.
- Keep important files backed up on a separate (i.e. disconnected) backup hardware drive or in a trusted Cloud account in case you need to recover them.
- Use pop-up blocking on browsers and consider private browsing when surfing the web. Erase your cookies daily.
- Do not store your payment info (e.g. credit card numbers and addresses) on online websites (e.g. Amazon, Apple, etc.).
- Monitor your credit rating, credit card account & bank accounts regularly; enable text or email notifications to alert you to possible fraudulent charges.
When You Visit Torrent Websites
It’s late on a Friday night, you’re browsing a torrent website for a horror film, and the party is just getting started. Only it’s not. Because while you’re passing round the beers, a “drive-by download” is infecting your computer. You haven’t even clicked on a link and you’re screwed.
In a 2015 report by Digital Citizens Alliance and RiskIQ, 1 in 3 torrent websites exposed users to malware (that’s not a typo). 45% of malware was delivered through “drive-by downloads” that invisibly download malware to your computer (e.g. scraping your files to find your SSN). Torrent website owners will even use ad and & affiliate networks to deliver exploits and malicious programs.
- Movies, music, and copied textbooks are prime digital bait for hackers. Sorry, folks – just don’t visit torrent sites if you want to keep your personal and financial info safe.
- Remember that you’re putting other students and computers at risk. If an attack infects your computer and spreads through the university system, you’re in deep, deep trouble.
When You Discard or Sell Old Devices Without Wiping Them Clean
“Dan” is looking to get rid of his old mobile and earn a little money on the side. He wipes his Android phone using the manufacturer’s reset directions and posts it on eBay. Then Avast comes along, buys his phone, and uses off-the-shelf digital forensic software to recover personal photos, emails, and text messages. Apparently, Dan is really into anime porn…
It can be very hard to erase your data from a drive or a storage card completely. Even destroying it may require the use of “a blender and fire,” as Jonathan Zdziarski, an iOS forensics expert and security researcher points out in Wired. The FTC has some good tips on disposing your mobile device. We also recommend that you:
- Do not take or store embarrassing pictures on your devices. Truly. Somebody is going to find them.
- Find instructions online from the manufacturer (e.g. Apple) that will help you overwrite your data.
- Remove or erase SIM and SD cards.
- Consider apps (e.g. Avast Anti-Theft) that will help you overwrite your data.
- Do not resell on eBay. Instead, recycle it back to the manufacturer or wireless service provider.
Password Weaknesses
When Your Password is Too Easy
In 2016, Mark Zuckerberg, cofounder of Facebook, realized his Twitter and Pinterest accounts had been hacked. The cryptic password he used to protect those two accounts? “dadada”. Yes, truly.
Easy passwords are the Achilles heel of the internet. 123456, passw0rd, admin, abc123 – they just won’t cut it in a world full of sophisticated hackers. In fact, experts recommend that your password for financial and sensitive sites be at least 12 digits, with a mixture of capital & lowercase letters, numbers, and symbols.
- Create strong passwords and change them regularly.
- Use passphrases to create long and secure passwords. For example, use “Th3CowJumpedOverTheM00n” instead of “The cow jumped over the moon.” It’s over 15 characters long and nearly impossible to crack.
- Never write a password down and stick it near your device (e.g. top drawer, back of the laptop, mobile case, etc.). People do this!
- Do not use birthdays, family names, pets, locations, and words that you can find in the dictionary – hackers can easily source this info online. They also guess season and year combinations, such as “Summer2017.” This is a popular password format, so it’s best to avoid using it.
- Do not store your passwords in your email account, unsecured Cloud accounts, or anywhere that is open to a hack.
- Enable two-step authentication/two-factor authentication (2FA) for websites that store personal info (e.g. email, social media sites, etc.).
- Consider a password manager, but realize that these are also subject to hacking.
When You Use the Same Password for Numerous Sites
Another problem with Zuckerberg’s password strategy? He used it across more than one social media site. It’s likely that his hackers got into his accounts by tapping into a LinkedIn password dump.
You may not think this is a big deal, but consider what would happen if a hacker was able to access accounts in all your digital realms. Suddenly, your private photos are appearing in Facebook posts. Sensitive emails are being quoted. Your Twitter account is spewing hatred and lies.
- Create strong passwords and change them regularly.
- Do not use the same password for your email, financial, and social media accounts. Pick a unique password for each site.
When You Store Sensitive Data in “Contacts” on Your Phone
We’ve probably all done it. Someone gives us a credit card number, a home security code, or an ID number and we stick it under his/her name in Contacts. Where it’s immediately available as a plain text file for any hacker who wants it.
Contacts are completely unprotected. What’s worse, they’re usually synced between your phone and laptop. Both security experts and manufacturers (e.g. Apple) say your address book is one of the worst places you can hide secrets.
- Never store private info under Contacts (e.g. security codes, bank pins, financial account numbers, SSNs, passwords, health info, etc.).
- Store data in a password-protected file or write it down and stow it somewhere safe.
- Consider a password manager, but realize that these are also subject to hacking.
Phishing Attacks
When You Follow a Dodgy Link or Reply to a Fake Email
In 2017, a Dartmouth student read an email from College President Phil Hanlon. It seemed legit – it asked for his user name and password and contained a link to a university website to enter the info. The email was spam and the website was crawling with malware. You can read about the scam in The Dartmouth newspaper.
Phishers love to send out fake emails from trusted senders (e.g. university help desk). These may include a link to a false website specifically designed to spoof the look of the real thing – a bank, university, or even a government site. In some cases, the email may ask you to reply to verify information or respond to an enticing job opportunity.
- Phishers are getting increasingly sophisticated – distrust every piece of email coming into your inbox.
- Never reveal private info (e.g. passwords, credit card numbers, SSN, bank account numbers, addresses, etc.) in an email.
- If there is a link, study the URL carefully; check that it has “https” at the beginning. The link may look legit in the email, but hover over it with your cursor to see if it will forward you to a different URL. Better yet, visit the website independently.
- Phishers with fake websites will often play on your fears (“You owe the IRS…, “Your account is about to be terminated…”) and greed (“You’re eligible for a great credit card offer…”). Watch out for emotional messages.
- Decide if the issue is real with a phone call.
When You Open an Infected Attachment
One morning, Lily Hay Newman received an email with the subject line, “Court Notice” and a reminder about the date of a case hearing. Attached to the email was a Microsoft Word attachment. She was on the point of downloading it, when she remembered to check the sender. It was a spam gmail address.
Email attachments (e.g. .doc and .exe files, Google docs, etc.) were the #1 carrier of malware in 2016, according to Verizon’s 2017 Data Breach Investigations Report. Using this malware, Phishers can steal sensitive information on your computer, hijack your device, and even demand a ransom on your data.
- Do not open attachments without checking the source very, very carefully. Even if it’s a trusted source, be wary. You don’t know if the sender has a computer that’s infected.
- Do not download & install suspicious software.
- Search the internet to see if similar phishing scams have been reported.
- Verify anything unusual. Pick up the phone and ask the person if he or she emailed you a document.
When You Answer a Suspicious Phone Call
You’re doing well in your first year but you’ve always been a little absentminded about bills and due dates. When the Office of College Admissions calls and threatens to drop you from class if you don’t make your quarterly installment, you immediately pay up.
It’s a scam of course, and one of many ways that phishers are targeting students and their financial data through mobile. The IRS has a whole list of Back-to-School telephone scam warnings for college students.
- Distrust any unusual caller – send unknown numbers straight to voicemail.
- Do not give personal and financial data (e.g. passwords, SSNs, tax information, credit or debit card numbers, etc.) out over the phone. Government agencies will not cold call you and the IRS generally mails tax bills.
- Check your credit report regularly to look for signs of identity theft.
- Caller IDs can be spoofed. Hang up and call the institution (e.g. IRS, Office of Admissions, bank, etc.) directly. Report the scam.
- If a company calls and says that your computer is having problems, do not allow them to remotely connect to your computer to fix it.
When You Follow a Malware Link in a Text
In August 2016, Ahmed Mansoor, a renowned human rights defender, received a series of SMS text messages on his iPhone. The sender promised that the included link contained “new secrets” about detainees tortured in UAE jails. Mansoor, very wisely, didn’t take the bait.
The Pegasus malware incident, as it’s now called, is just one example of how phishers are targeting data in mobile phones. Think of all the info you store in there – personal photos, text messages, email, apps, and the like. Hackers would love to get their hands on it.
- Do not click on links in text messages.
- Ensure your phone’s software is always updated.
- Report the issue to your mobile phone provider.
Social Media Dangers
When You’re Harassed, Bullied or Stalked on Social Media
Caroline Gleich was a successful pro skier with an active Instagram feed and a lot of followers. But as Outside Magazine reported in 2017, her popularity and good looks made her a target of constant cyberbullying. There were insults, sexual comments, and even a threat on her cellphone’s voicemail.
If you haven’t already experienced it in high school, you’re probably going to be a victim of cyberbullying at some point in college. Women, the LGBT community, and folks with a public presence (e.g. athletes) are often at higher risk. We could advise you to take yourself off social media, but we know that’s a big ask. Instead, we recommend you take precautions.
- Never post personal info (e.g. mobile number, home address, age, location, name of your school, etc.) on a social media site. This category includes photos that could identify your location (e.g. school, home, vacation address, etc.) or too many of your interests.
- Check the security settings in your social media account – make them a high priority.
- Do not accept random friends and students on social media.
- Do not advertise when you’re going to be away from home.
- Do not allow your device to be geotagged (e.g. check-in at locations via GPS).
- Remember that everything on social media has the capacity to be shared.
If you are the subject of cyberbullying or harassment:
- Communicate in clear terms that you wish to be left alone.
- Use filters and security software to cut yourself off from your harasser.
- Document the issue. Take screenshots; save emails, texts, and voice messages; and record phone calls so you have evidence.
- Report the problem to campus police/security and your social media provider.
- Seek counseling from the Student Counseling Service and/or a crisis helpline.
When You’re the Subject of “Revenge Porn”
Jennifer Lawrence, Kate Upton, Rihanna, Avril Lavigne – you’ve heard the list of celebrities whose personal & private photos have been posted online. But there are millions of others, including many college students, who have been subject to the same shame.
According to a 2016 Data & Society Research Institute report on Nonconsensual Image Sharing, 1 in 25 Americans has been the subject of revenge porn; 1 in 10 women under the age of 30 have experienced threats of image exposure. It’s gotten to the point where no digital photos are safe.
- Do not take or store embarrassing pictures on your devices or Cloud accounts. Even apps like Snapchat can be hacked and monitored remotely.
- Try not to sext, even with a trusted and loving partner. Hackers can get hold of photos on the device by other means (e.g. hacking through public WiFi).
- Document and report problem to your social media provider and campus police/security.
- Seek counseling from the Student Counseling Service and/or a crisis helpline.
When You’re Hacked through a Social Media Post
One day, the wife of a Department of Defense employee was swapping messages with friends about what they could do with their kids on their summer vacation. As the New York Times reported, a Twitter message arrived with a link to a great family-friendly vacation package. When she followed the link, hackers were able to burrow into her husband’s computer through a shared home network.
Phishing is very common in social media. Hackers can find out all kinds of info about your personal interests (e.g. favorite sports team) and tailor their scams accordingly. They can even hijack accounts and pretend to be your brother or your best friend.
- Do not click on links, even ones sent by trusted sources (e.g. ticket sales for a sports event, ad for vacation package, etc.). Visit the website independently and look for “https” at the beginning of the URL.
- Do not do polls or quizzes that reveal personal info. Hackers can use these to sign you up for dubious services or steal your info to open accounts.
- Do not click on shortened URLs that hide the website link.
When You’re Scammed by a Social Media Friend
George Zhou heard about a great deal. A girl on WeChat – a trusted UW student from China –
was saying that UW students could save ~$600 off the cost of summer tuition by paying an intermediary. Students gladly provided their user name and ID. In return, scammers used stolen credit card numbers to pay the tuition bill.
As the Seattle Times reported, the scam duped as many as 90 people. We’d hate to say that you can’t trust anybody, but we are going to warn that you can’t trust online sources. Hackers use social media for catfishing, false charities, fake appeals for help (“Lost my wallet!), and more. Symantec Norton has a list of the top social media scams.
- Distrust any appeals you receive on social media. Call to confirm it with your friends and family.
- Check that a charity is legitimate on Charity Navigator.
- Watch out for fake online personas – do your research before you agree to meet an online date.
Travel & Off-Campus Threats
When You’re Hacked Via Free WiFi
You’re on the road with your sports team and assembling for the plane. While you’re stuck at check-in, you connect to the free airport WiFi. Only problem being, you’re connecting to a hacker’s network that is using the airport’s name to trick you into believing you’re safe.
Using public and free WiFi is like having unprotected sex – it’s a really bad idea. The Harvard Business Review has a large number of examples of how folks have been hacked. It’s also incredibly easy for cyberstalkers to snoop or eavesdrop on your device using inexpensive & free software.
- Do not use public WiFi to shop online, access financial info, or visit sensitive sites. Never enter your login names or passwords.
- Enable two-step authentication, also known as two-factor authentication (2FA), when you’re logging into sensitive sites (e.g. credit card accounts, social media, email, etc.).
- Use a Virtual Private Network (VPN) to encrypt your data.
- Only visit websites with “https” at the beginning of the URL, not “http.”
- Disable the automatic Wi-Fi connectivity feature on your phone under Settings.
- Monitor your Bluetooth connection in public area.
- Get an unlimited data plan and cut yourself off from public WiFi.
When Your Money is Stolen by an ATM Skimmer
In October 2017, Chicago police reported they had found over a dozen ATM skimmers in Walgreens stores across the city. Hackers had installed both skimmers inside the ATM and cameras to record folks entering their PIN numbers.
As a college student, you’re likely to be traveling where you’ll want cash. Since your ATM or debit card is going to be your lifeline, it’s hugely important to keep it secure.
- Check for unusual devices added to the ATM.
- If your card is hard to put in the slot, this may be the sign of an internal skimmer. Do not use the machine.
- Always cover the keypad with your hand when entering your PIN.
- Look for a plastic overlay on the keypad – this may be recording your pin.
- Be aware of who is behind you – if they’re too close or look like they may be recording you, walk away.
- Write down your bank’s helpline in case you lose your card or you think it’s been compromised. You’ll want to freeze your accounts.
Internet Safety and Security Awareness Resources for Students
Campus Resources
If you’ve been the victim of any of the issues mentioned above, you are not alone! College campuses are increasingly aware of online dangers and ready to come to your rescue.
Office of Information Technology & Computer Services
In addition to helping you with a hack, these folks also often provide cyber security tips & tutorials, free security software to students (e.g. VPN, anti-virus programs, scanning for vulnerabilities, etc.), and electronics disposal. Always report issues (e.g. phishing emails to your student account) to this office. They may not know about the problem until you tell them.
Campus Safety Department & Campus Police
Cyberbullying, harassment, and stalking are unacceptable. Visit the campus police with your documentation in hand – screenshots, emails, texts – and make a report. Campus police may advise you on digital steps to take (e.g. blocking users) and physical steps to take (e.g. protecting yourself at night).
Student Counseling Services
Cyber victims don’t always feel comfortable talking about the issue. Binge drinking, skipping class, taking drugs – these may be the methods they use to cope instead. If you’re worried about a friend, talk to the folks at Student Counseling about your concerns.
Cyber Security Education
Internet Safety Groups & Resources
- Stay Safe Online.org is a fantastic site run by the National Cyber Security Alliance (NCSA) and overflowing with advice on privacy and security. There are free checkups & tools, tips for individuals, businesses, and families, and links to many other useful resources.
- Stop. Think Connect. is a global online safety awareness campaign led by the NCSA and government groups. Along with basic advice, you’ll also find background on research and surveys.
- Turn It On: The Ultimate Guide to Two-Factor Authentication (2FA) is a free resource that explains how to enable 2FA on various websites (e.g. Facebook, Google, Instagram, etc.).
Advocacy & Support Groups for Online Victims
- Civilnation is taking a stand against online hostility and adult cyberbullying. Though it’s more about research and education, it does have a resources section on How to Protect Yourself Online.
- Crash Override is a crisis helpline, advocacy group, and resource center for anyone experiencing online abuse. It’s fiscally sponsored by Feminist Frequency, a 501(c)(3) non-profit organization.
- Cyber Civil Rights Initiative grew out of Holly Jacob’s End Revenge Porn (ERP) campaign. It’s designed to support victims, educate lawmakers, and end abuse. It has a Crisis Helpline for Revenge Porn Victims.
- FightCyberstalking.org is an online resource site for cyberstalking victims. Here you can report a cyberstalking case, find tips on privacy (e.g. how to remove your WhitePages public listing) and online safety, and get support.
- Stalking Resource Center is run by the National Center for Victims of Crime. It has a Victim Connect Helpline, tips, safety plan guidelines, and background on stalking laws.
- Without My Consent provides various tools to help you fight online harassment and privacy violations.
How to Report a Cyber Security Issue on Social Media or Email
- Facebook: Report Something has step-by-step guidelines on how to report incidents of cyberbullying, revenge porn, account impersonation, etc.
- Facebook Security has tips on how to deal with hacked accounts, spam (phishing, malware, sharebaiting, suspicious emails, etc.), and more.
- Gmail Help is the epicenter of gmail assistance, with advice on security & privacy, as well as how to report unwanted and suspicious emails.
- Instagram: Report Something allows you to report hacked accounts, impersonations, abuse & spam, harassment – you name it.
- Snapchat: My Account is Hacked will guide you through the steps you need to take after being hacked.
- Snapchat Safety Center has safety tips and community guidelines, as well as advice on improving your privacy settings.
- Twitter: How to Report Violations has a bullet point list of issues, including instructions on how to report specific violations (e.g. spam, abusive behavior, impersonation, private info, etc.).
- Twitter: My Account Has Been Hacked has step-by-step advice on what to do if your account has been hacked or compromised.
- YouTube: Flag Inappropriate Content contains instructions on how to flag inappropriate videos, comments, channels, playlists, and messages. See something, say something.
- YouTube: How to Fix a Hacked YouTube Account covers what to do if a) you can still sign into your account or b) you’re locked out of your account.
How to Report a Cyber Security Issue or Crime to the Government
- FBI Internet Crime Complaint Center is designed to allow victims of cyber crimes (e.g. stolen financial info) to make a report directly on the FBI’s website. The FBI also has some useful prevention tips on how to avoid becoming a victim of fraud or identity theft.
- IdentityTheft.gov is run by the Federal Trade Commission (FTC) and provides step-by-step tips, checklists, and resources to help you recover from identity theft.
- IRS: Report Phishing is the place to go if you think you’re the target of an IRS scam. Learn how to document it and report it to the IRS.