Internet Safety and Cybersecurity Awareness for College Students

Today, hacking is not a question of “if,” but “when.” In 2019 alone, 89 U.S. universities, colleges, and school districts faced ransomware attacks. No matter how secure your university networks claim to be, you must take additional steps to ensure the protection of your personal devices.

To keep your tech safe from cyberattacks, experts recommend installing all software updates, arming yourself with cybersecurity tools like antivirus software, and regularly backing up your data. Remember that hackers don’t discriminate. Never assume you won’t be targeted.

Follow these steps to help vaccinate your tech against cybercrime:

• Computer and smartphone software updates help patch security flaws and protect data. It’s time to stop clicking “Remind Me Tomorrow” when your Mac asks to download and install updates.
• Only download software directly from manufacturers and other trusted sources. Across the web, hackers use convincing fakes (urgent update alerts, download pages, etc.) to spread malware and ransomware to unsuspecting users.
• Invest in strong, trusted virus and spyware protection, whether you own a Mac or PC. Scan your computer at least once a week.
• Backup your computer periodically to an external hard drive and/or cloud-based storage system in case you need to recover data and files after a cyberattack.
• When surfing the web, enable pop-up blocking and consider private browsing. Cookies can open security loopholes for hackers, so it’s best to delete them periodically.
• Closely monitor your credit rating, credit cards, and bank accounts. Set up text notifications that alert you to possible fraudulent activity.

While browsing, you might have noticed that some website addresses begin “HTTP,” while others begin with “HTTPS.” That single letter makes a huge difference. HTTPS websites encrypt user communications and data. Unsecure HTTP sites enable hackers to view transferred information, including login credentials, in plain text format.

Torrent websites like The Pirate Bay host massive digital repositories of content including movies, music, video games, and software. Anyone can gain access to this content at no cost, but torrenting is not risk-free. Dangers include malware infection, penalties from your internet service provider, and legal settlements from copyright holders.

• Today’s phishing scams use sophisticated replicas of login pages. Before accessing your school email, Canvas account, or online banking, make sure the web address is correct. Never submit sensitive information like usernames, passwords, or credit card numbers through an HTTP website.
• Remember that your online activities can put other students at risk. Cyberattacks that originate on your computer can spread to other devices — even throughout the entire university system.
• According to a 2015 study, approximately 12 million monthly users were infected with malware after downloading torrent files. Resist the temptation to download the latest Hollywood blockbuster or the digital version of your expensive calculus textbook. It isn’t worth putting your personal and financial data at risk.

In 2017, a teenager based in Ontario traded in her old, broken iPhone 5s for $11. Several months later, she received messages from a stranger who had bought her old phone and now had access to all of her contacts, social media accounts, texts, and photos.

The stranger, who buys refurbished phones in bulk for reselling purposes, ultimately wiped Natalie’s data and apologized for upsetting her. But in the hands of a malicious user, the consequences could have been much more harmful.

Whether you plan to throw away, resell, recycle, or trade in your old computer or phone, you must take steps to ensure your data is permanently erased, overwritten, and inaccessible.

• Avoid taking or storing private photos on your devices. No matter how secure you think your files are, someone may still gain access to them.
• Before ditching your old computer, consider downloading antitheft apps or software to help overwrite your data. On a Mac, the built-in Disk Utility app can wipe and overwrite a drive.
• Remove or erase your old phone’s SIM and micro SD cards.
• Instead of reselling on eBay, consider recycling your old devices directly with the manufacturer. You may even earn credit toward a new replacement.

If you use easy-to-guess passwords, you’re not alone. Millions of people still rely on notoriously simple combinations like “123456,” “password,” and “asdf” to protect their accounts. In 2016, the Twitter account of Facebook cofounder, Mark Zuckerberg was hacked while protected with the password “dadada.”

When it comes to protecting your devices and data, passwords are the first line of defense. Rather than stuffing your password with numbers, special characters, and capital letters, experts now recommend long strings of text, like nonsense phrases, that are easy to remember.

Follow these steps to help vaccinate your tech against cybercrime:

• Avoid using birthdays, family and pet names, locations, and standalone words. Hackers can source this information through social media and dictionaries.
• Research shows that changing passwords regularly is often unhelpful, as users tend to make minor changes that are easy to guess. Instead, focus on creating an effective password that will last, and only change it if your account has been compromised.
• Enable two-factor authentication when available. This can protect your account from a breach even if a hacker correctly guesses your password.
• Store your passwords with care. This means no sticky notes on your desk, no lists emailed to yourself, and no unprotected documents in cloud storage. Instead, consider password management apps, password-protected documents, or handwritten hints kept in a secure location away from your device.

We use passwords for everything. According to a Digital Guardian survey of 1,000 internet users, a majority of us have more than 10 password-protected accounts. Nearly 30% of survey respondents said they had “too many to count.”

Remembering all those passwords is difficult. We all know the pain of being temporarily locked out of our own accounts after guessing too many incorrect combinations. This makes using the same password across multiple websites incredibly tempting, but password reuse can pose a major cybersecurity risk.

• Do not use the same passwords for all of your accounts. Instead, create different password tiers according to the level of data/information sensitivity. You might consider reusing passwords for Netflix, Instagram, or Spotify, but create unique passwords for your bank, credit card, and school accounts.
• Whether you reuse them or not, follow the tips in the previous section to make your passwords hard to crack.

Our Contacts apps come complete with spaces to add phone numbers, home addresses, email addresses, birthdays, and more. It seems like the perfect place to store information about friends, family, and coworkers, but that easy accessibility comes at a price. Information in our phone and computer address books is typically stored as plain text, offering zero security protections.

This means it’s a terrible idea to store your mom’s credit card number or your friend’s home security code in the “Notes” section of their contacts page. You shouldn’t try to hide your own sensitive information in Contacts, either. Work on memorizing your Social Security Number instead of disguising it as a phone number under “Steven St. Nicholas.”

• Other information to avoid storing in address books includes bank PINs, account numbers, health information, and passwords.
• Instead, store data in a password-protected file or a handwritten note kept in a secure place.
• Many password management apps offer secure “Notes” sections, too.

Phishing emails are a tried-and-true method for hackers to obtain personal, private information. In 2017, thousands of Dartmouth University students received a phishing email claiming to be from the university’s president. An embedded link asked recipients to enter their university NetID.

This year, college students have been the target of similar COVID-19 phishing scams. These messages claim to be from university financial departments and link to portals requiring students to enter their login credentials.

Phishing emails typically appear to come from trusted senders and request that you verify banking details, login credentials, or credit card information. These emails may feature the same layout, color scheme, and language of the real entity, and may link to a site specifically designed to spoof the real thing.

Recognize and avoid phishers with the following tips:

• It’s a good rule of thumb to distrust every piece of email that lands in your inbox. Double check the email address of the sender for phishing giveaways like a wrong domain.
• Phishing emails often foster a false sense of urgency, hoping recipients will ignore the warning signs and engage without thinking. Watch out for emotional messages concerning account suspension, money owed, or limited-time offers.
• These days, most legitimate emails address recipients by name. Be suspicious of impersonal, generic greetings, like “Dear user,” or “Dear valued customer.”
• If the email includes a link, study the URL carefully. Look for that secure “HTTPS.” Rather than clicking the embedded email link, which can immediately give hackers information, independently type the address into your browser to see where it takes you.

Common phishing scams seen on the Bowling Green State University campus include fake fraternity recruitment emails and senders posting as professors in search of student employees. Students may receive several such emails a week, often with suspicious attachments that they are careful not to open.

According to one expert analysis, 85% of all malicious emails carry common attachment formats like .DOC, .XLS, .PDF, and .ZIP. In some cases, these attachments may be perfectly harmless, but many contain malware and other nasty features, activated with just a click. Using these tools, phishers can steal sensitive information, demand a ransom for the safe return of your data, or even remotely take over your device.

• Treat email attachments with care. Never open one unless you can verify the sender and are expecting the attachment in question. Remember that even trusted email addresses can send infected attachments if they’ve been compromised.
• Avoid downloading and installing software sent to you via email. Instead, visit the manufacturer’s site for a download.
• Verify anything unusual. Double check with the sender before opening an attachment.
• If an email seems “off” to you, do a quick Google search to see if similar phishing scams have been reported.

College students love texting and social media, but sometimes we still need to pick up the phone for an old-fashioned call. Phone scams are a popular tactic of phishers looking for financial information, largely because they are proven to work. Nearly 1 in 6 Americans lost money to a phone scam in 2019.

In the last few years, major mobile carriers including T-Mobile, AT&T, and Sprint introduced scam protection features to help fight phishing calls. You can see this in action when your caller ID labels an incoming number as “scam likely” or “potential fraud.” This screening feature works by checking callers against a database of reported scam numbers.

Unfortunately, some phishing calls still slip through. The most common phone scams targeted at college students relate to financial aid, tuition, and taxes. Protect yourself with these tips:

• Distrust unusual callers, especially those who use an “unknown number” ID. Let your voicemail take care of things. Remember that caller IDs can also be spoofed.
• Never give your personal or financial data out to someone who calls you. Legitimate university offices will not insist on wire transfers or immediate payments over the phone. Government agencies like the IRS never cold call citizens.
• If a suspicious caller claims to represent your university, hang up and call the school directly to confirm and follow up.

According to Pierson Clair, managing director of cyber risk at the risk management firm Kroll, millions of phishing attempts are made via text message every single day. Many phishing attempts depend on tricking the recipient into providing sensitive information, but more malicious phishing texts can contain links to malware that spy on your activity, data, and files without your knowledge.

In recent years, hackers have targeted both Apple and Android devices. Once discovered, manufacturers quickly develop software patches that address vulnerabilities and close security loopholes, but for infected users, these patches may be too little, too late. To protect your device:

• Avoid clicking on links in text messages. Be suspicious of shortened URLs like bit.ly addresses, which may be used to hide a link’s true destination.
• Keep your phone’s software updated to address any security vulnerabilities.
• If you suspect your device has been infected by malware, report the issue to the manufacturer.

According to 2019 data from the Cyberbullying Research Center, approximately 37% of surveyed students ages 12-17 reported experiencing cyberbullying in their lifetimes.

The majority of cyberbullying research focuses on K-12 populations, but online harassment can happen to anyone at any age. One survey of 439 college students indicated that 38% knew someone who had been cyberbullied; 21.9% had been a target of cyberbullying; and 8.6% had cyberbullied someone else.

Cyberbullying poses a real danger to victims’ mental and emotional health. In extreme cases, online harassment and stalking can even bleed into real life, threatening one’s physical safety and security. To make yourself less vulnerable to this type of toxic behavior, consider the following tips:

• Refrain from posting personal information on public-facing social media, including your phone number, home address, location, or name of your school.
• Be cautious about posting photos that could allow strangers to identify your location. Disable geotagging on all social media platforms.
• Frequently check the security settings of your social media accounts.
• Do not accept friend requests from students and other individuals you don’t know.
• Avoid sharing details about when you’ll be away from home. Burglars may use this information to target your unoccupied residence.

If you become the target of cyberbullying or harassment:

• Communicate in clear terms that you wish to be left alone.
• Use social media features to cut off the perpetrator. This may include blocking the user, limiting who can view your posts, or increasing the privacy settings of your accounts.
• Document the issue by taking screenshots, recording phone calls, and saving emails, texts, and voice messages.
• Report the problem to the social media provider and/or campus police.
• Consider reaching out to your school’s counseling center or a crisis helpline.

Broadly defined, revenge porn is the distribution of private, intimate, or sexually explicit images and videos without consent. This type of nonconsensual pornography is usually shared by the victim’s ex-partner, often as a way to “get back” at the victim for perceived wrongdoing after a fight or break up. Personal photos may also be obtained and shared by hackers.

According to a 2016 study by the Data & Society Research Institute, 1 in 25 Americans have been victims of revenge porn, and 1 in 10 women under 30 have experienced threats of intimate image exposure.

Currently, 41 states have specific laws on the books concerning the distribution of revenge porn. Potential penalties vary from misdemeanors to felonies, with consequences including probation, fines, and/or imprisonment.

• The only way to entirely protect yourself from nonconsensual pornography is by not taking or sharing intimate photos, even with a trusted partner.
• If you do take intimate photos, store them in an encrypted, password-protected folder on your computer, never in cloud storage. Remember that apps like Snapchat can be hacked and monitored remotely.
• If you become a victim of nonconsensual pornography, document and report it to the social media provider and campus police. Consider reaching out to your school’s counseling center or a crisis helpline.

Facebook is the world’s most popular social networking site, attracting teens, adults, senior citizens, and cybercriminals ready to prey on unsuspecting users. Phishers and hackers commonly use spoofed accounts, hacked accounts, and fake pages to send and share malicious links disguised as surprising videos, prizes and awards, or advertisements.

These links may lead to spoofed Facebook sign-in pages asking you to verify your credentials, websites asking for personal information, or sites stuffed with a “drive-by download,” which can infect your device and steal data entirely without your knowledge.

• Hackers can easily identify your personal interests and tailor messages, posts, and scams accordingly. They may hijack accounts or create imitations to make you think you’re talking to your best friend or your sibling. Stay alert and suspicious.
• We all want to know what Disney character our profile picture most resembles, but it’s best to avoid Facebook polls and quizzes that require you to give random sites permission to access your account information. You never know where it might end up.
• When it comes to social media, the old adage applies: “If it seems too good to be true, it probably is.” No one will give you a free car if you like and share a post.

In 2016, University of Washington students lost a collective $1 million in tuition funds after falling for a financial scam. The scam — shared on social media by a trusted fellow UW student — promised to save individuals 5% on their summer tuition if they paid through an intermediary.

We shell out big bucks every year for tuition, fees, housing, books, and supplies. Scammers are eager to get in on the action, using methods like fake checks, too-good-to-be-true apartment listings, and scholarship scams to defraud students. Scammers may attempt to gain students’ trust by posing as fellow students, alumni, professors, and other individuals involved with the school or trusted organizations.

• Again, things that seem too good to be true typically are, at least when it comes to social media. Carefully scrutinize any and all offers of financial assistance.
• Legitimate scholarships rarely ask for application or processing fees. If you need to spend money before receiving any in return, it’s likely a scam.
• Watch out for fake online personas or spoofed accounts of real people. Before accepting any financial assistance or providing any personal information, always verify the identity of the person you’re connected to.

Each year from 2001-2016, burglary ranked as the most common crime across college campuses in the U.S., according to the National Center for Education Statistics.

It takes only seconds for a fearless thief to swipe your smartphone or laptop while you take a bathroom break at the library or visit the communal kitchen in your dorm building. Losing your device could mean losing access to time-sensitive assignments, needing to shell out hundreds of dollars on a replacement, and having to report a crime to campus police. College is hard enough without those hassles.

Follow these tips to keep your tech safe:

• Always lock your dorm room when you leave, even if you only plan to be gone for a few minutes.
• Invest in a laptop cable lock. Use it in public spaces to help keep your laptop secure.
• Never store your laptop in a car, even if it’s kept out of sight.
• Register your laptop and phone with the campus security office. The brand, model, and serial number is attached to your name, student ID, and contact information. You might also receive a registration sticker to put on your device, which can act as a deterrent for would-be thieves.
• Enable your devices’ built-in tracking features, such as Apple’s “Find My” app, or download a comparable program like Prey or Absolute.
• Regularly backup your devices and files to a cloud storage system and/or external hard drive. This ensures you always have access to what you need and gives you the option to remotely erase your devices if they are stolen.

In 2016, researchers at Google, the University of Michigan, and the University of Illinois at Urbana-Champaign teamed up to conduct a study on the habits of college students discovering “lost” USB drives. The researchers scattered 300 drives across the UIUC campus and measured how many were retrieved. At least 45% ended up connected to computers, with one drive plugged in just six minutes after being dropped.

This is a problem because USB drives may contain malicious software. The 2010 Stuxnet worm, widely recognized as the world’s first digital weapon, was spread via USB devices. In 2016, a unique USB-based malware was discovered that could install itself and steal user data without detection.

• Distrust any device you find on campus, whether a USB drive, laptop, or cell phone.
• Do not plug any unknown devices into your computer in an attempt to identify the owner. Take them to your school’s lost and found or IT department.
• To mitigate risk of infection, avoid sharing USB drives with others, and be cautious when plugging them into public computers. Use security software to scan any device given to you, even by a trusted friend.

Ten percent of college students in the U.S. — approximately 2 million individuals — don’t have access to their own laptops for school use. These students must rely on computer labs, library desktops, and other communal workstations to complete assignments. Even students who own their own devices often rely on campus computers to stay connected, complete research, or do homework in a designated quiet area.

Schools offer well-protected networks to keep students safe from some threats, but communal workstations are not entirely without risk. They may expose you to malicious software, infected files, malware, or keyloggers.

• When possible, avoid logging into websites when using public computers. If you do need to login, don’t forget to logout before you leave.
• Never use a public computer to complete a financial transaction, download software, or visit sketchy websites.
• Use private browsing options or clear your browsing data before logging off.
• Be aware of your surroundings. Shoulder surfers may try to snag usernames, passwords, and other sensitive information.

We rely on the internet for countless personal and professional tasks. Businesses and other public places know this, and they often use it to their advantage, offering Wi-Fi connections to attract customers and keep them happy. You can access free Wi-Fi connections in nearly every fast food restaurant, roadside hotel, and airport terminal.

Nearly half of working adults in the U.S. trust these public Wi-Fi networks to keep their information secure. Unfortunately, convenient connections can hide countless dangers. With free and inexpensive software, cyber criminals can easily snoop on public internet connections, intercept communications, and steal user data.

• Know when and where you’re connecting by disabling your devices’ ability to automatically connect to nearby Wi-Fi.
• Verify the legitimacy of a network before you connect. Hackers may set up their own Wi-Fi connections near trusted businesses in an attempt to trick unsuspecting users into logging on.
• Avoid using public Wi-Fi to shop online, access financial information, or visit sensitive websites. Enable two-factor authentication to protect your social media and email accounts.
• Use a free or paid virtual private network (VPN) service to encrypt your data.
• The best way to avoid the pitfalls of public Wi-Fi is to simply avoid using it. Consider an unlimited data plan or your own portable travel router.

According to the ATM Industry Association, 86% of surveyed ATM operators reported experiencing ATM data fraud in 2019. Skimming was the most common type of ATM fraud reported, followed by PIN compromise, transaction reversal fraud, and cash trapping. Worryingly, 91% of respondents also said that ATM skimming devices were getting smaller, making them harder to detect.

To engage in ATM skimming, criminals use electronic devices disguised to look like part of the machine. When customers use a hacked ATM, the skimmer records card details, and a hidden camera or false keypad records PIN numbers. One of the fastest-growing crimes in the financial industry, ATM skimming costs consumers and institutions a staggering $8 billion each year.

• Before use, check an ATM for any unusual added devices.
• If you have trouble inserting your card, this may be a sign of an internal skimmer. Do not use the machine.
• Always cover an ATM’s keypad with your hand when entering your PIN. Be alert for shoulder surfers standing too close.
• Write down your bank’s customer service phone number and keep it on hand. If you lose your card or think your information has been compromised, call the number to freeze your accounts.

• CiviliNation is a nonprofit working to fight online harassment, character assassination, and violence. The organization believes in defending free speech and fostering an online culture in which individuals can fully engage and contribute without being targeted by abuse, harassment, or lies. Their website offers an extensive library of informative content and a resource center.
• The National Cybersecurity Alliance aims to empower a more secure, interconnected world through education and amplification of cybersecurity awareness. NCSA’s website offers resources for online safety, identity theft, account and device security, and privacy management. The site also refers visitors to more than a dozen free security checkups and tools.
• Stop. Think. Connect. is a global online safety awareness campaign led by NCSA, the Anti-Phishing Working Group, and the U.S. Department of Homeland Security. The campaign’s site offers helpful basic safety advice. Users can also access targeted cybersecurity tip sheets, including considerations for LGBTQ online safety, digital wedding planning, and online holiday shopping.

• The Cyber Civil Rights Initiative is a nonprofit organization advocating for technological, social, and legal innovation in the fight against online abuse. CCRI primarily focuses on nonconsensual pornography, offering victim support including a 24/7 crisis helpline and links to resources for reporting, removal, and legal assistance.
• Without My Consent is a project headed by the CCRI that aims to empower individuals to understand and stand up for their online privacy rights. The site’s extensive resources cover practical topics including evidence preservation, copyright registration, takedown notices, and emotional support.
• FightCyberstalking.org provides online resources for victims of cyberstalking on sites like Twitter, Facebook, Instagram, and YouTube. Site users can access advice on reporting cyberstalking crimes, seeking emotional support, and enhancing privacy and security online.

• Facebook, Instagram, Snapchat, Twitter, and YouTube each offer their own resources and reporting tools for hacked accounts and violations of other community guidelines (abusive behavior, inappropriate content, account impersonation, spam, etc.).
• Gmail Help provides dozens of articles on account safety and security guidelines. You can also access tools to report phishing emails and other violations of Gmail’s policies.

• The FBI Internet Crime Complaint Center (IC3) allows victims of Internet crime to file a complaint. The IC3 does not conduct its own investigations. Rather, it reviews submitted information and, when appropriate, forwards it on to federal, state, local, or international agencies with jurisdiction. The site also offers tips for Internet crime prevention.
• IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site offers extensive resources and tools to help you avoid, recognize, report, and recover from identity theft.
• The IRS will never contact you by email, text, phone call, or social media to request personal or financial information like PIN numbers and passwords. If you receive unsolicited or suspicious contact from someone claiming to be from the IRS, report the incident with the Treasury Inspector General for Tax Administration and to phishing@irs.gov. Learn more about phishing on the IRS website.

College students can protect themselves online by understanding internet safety trends, keeping their devices’ software up-to-date, and limiting risky behaviors like oversharing personal information, downloading software from unverified sources, or visiting illegal sites.

Digital safety is an alternative term for internet safety. It encompasses both cybersecurity awareness and putting that knowledge into action to reduce risks to private information, property, and personal well-being.

To stay safe on social media, college students should frequently evaluate their privacy and security settings, avoid accepting friend requests from strangers, and carefully consider what they choose to reveal in status updates or photos.

Never send sensitive information like passwords over public Wi-Fi. Avoid using the same password for your social media, school account, and online banking. Resist the temptation to download pirated content, which may carry malware and/or subject you to legal penalties.