Skip to content

If you think your social media or email account has been hacked, wrestle it away from the bad guys by acting fast.

Hackers use a bunch of different tactics to try to compromise people’s email, banking, social media, device, and other online accounts. Sometimes they do this to spam your friends with coupons, but other times they want to steal your money or identity. By alerting authorities and following a few steps, you can often retake control of your hacked account.

However, fast action is crucial. If you suspect that your digital account has been hacked, do something about it as soon as you can. Here’s what you need to know right now!

How does an account get hacked?

Security breaches happen in many ways – sometimes you might click on a bad link, or the company in charge of the account could be attacked. This is why cybersecurity is so important to us all, and why we at the National Cybersecurity Alliance are so hyped up about it!

Commonly, an account is hacked through phishing. This is when cybercriminals use misleading emails, social media posts, phone calls, texts, or DMs that lure you to click on a bad link or download a malicious attachment. If you take the bait, the hackers can get access to your device or account.

Another common way your account could be hacked is if there is a data breach that reveals your username and password. The company controlling the account in question could be hacked, for example. If you reuse passwords, if any platform you use is compromised then cybercriminals might know your password for many accounts. This is why you should have a unique password for each account and change your password ASAP if you find out a platform you use has had a breach.

Signs your account has been hacked

Does something seem off about one or more of your online accounts? Know the common symptoms of a hacked account.

  1. Unusual Social Media Activity: Your social media profile publishes posts that you didn’t create. Ditto for direct messages – hackers might use your account to send phishing DMs or posts to your followers. Often these posts encourage your friends to click on a link, download an app, or buy something through an online store.  
  2. Unexpected Messages to Friends: Friends and followers tell you that they received emails from your email address that you never sent, or DMs through social media that you never authored.   
  3. Unauthorized Login Notification: A company tells you that your information was lost via a data breach. In many places around the world, companies are required by law to tell you if they lost your data in a breach or cyber attack.  

What are 4 things to do when your account is hacked?

If you think an account is hacked, snap into action, and take a few quick steps to staunch the damage. You have the power to give cybercriminals the boot!

  1. Change Your Password: This will likely lock out the hacker. Unfortunately, it can also work the other way around: the hacker might change the password and lock you out. In this case, try using the “forgot my password” function to reset it. If that doesn’t work, contact the platform ASAP. If you used the same password for other accounts, you should change all of them, and start using unique passwords for every account. Use a password manager to generate and store all your passwords.  
  2. Notify your contacts: That your account was hacked. Let them know they may receive spam messages that look like you sent them. Tell your contacts they shouldn’t open these messages or click on any links contained in them. When the situation is cleared up, let everyone know that your accounts are secure again.   
  3. Update Your Security Software: Make sure your security software is up to date. Scan your system for malware, especially if you suspect your computer might be infected with a virus. Antivirus software will scan your device to check for any security issues. 
  4. Seek Assistance: Contact people who can help you. If you suspect someone has stolen money, this might mean calling the police and your bank. If a work account was breached, let your IT department know. If a social media or email account was hacked, alert the platform, and seek their help. If you think someone has stolen your identity, it is worth contacting the FTC. Let trusted friends and family know what you are going through so they can on the lookout for weird messages or posts from your account.  

Resources

Here’s where to turn if you have an account with one of these popular websites and you think its been hacked: 

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts


This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Reports have surfaced of a vulnerability within the chat function of Zoom for Windows that may permit unauthorized access to online classes and video conferences, which may allow hackers to send a malicious link through Zoom chat.

The malicious link looks slightly different from a URL, but is similar enough to cause confusion for users. When the link is clicked, the user’s credentials (UserID and password) may be leaked online. Leaked passwords can be easily cracked with widely available tools. In addition, hackers could gain access to the user's computer, execute unwanted software, send malicious messages, etc.

While there have been no known impacts to GW accounts, please follow these recommendations for video meetings and online instruction:

  • Use Webex instead of Zoom. Webex is GW’s supported secure video meeting collaboration tool, and is available to all students, faculty and staff. Visit the telecommuting page to learn more.
  • For online instruction, use Blackboard, GW’s online learning platform. Blackboard allows faculty to share materials with students, as well as facilitate synchronous (Blackboard Collaborate) and asynchronous communications (including discussion boards and integrations with VoiceThread and Echo360). Visit the tools for instructional continuity page to learn more.
  • Use meeting passwords for all meetings, verify all participants, and lock entry. To learn how to host secure Webex meetings and lock entry, visit Webex Secure Meetings.
  • Do not share or click on any links from unknown users.
  • Avoid links that start with a double back slash (e.g. \\ for example, \\com).

Remember to protect your information!

GW Information Technology (GW IT) continues to take proactive measures to keep our campus community safe. Please be aware that phishing attempts often seem legitimate. It is important for faculty, staff, and students to be extremely vigilant and take steps to secure logins, passwords, and data.

GW’s Office of Ethics, Compliance and Privacy has developed guidance on best practices for data protection when telecommuting, as well as data protection while using virtual meeting, event and collaboration platforms.

Remember to report any suspicious electronic communication or request to abuse@gwu.edu.

Questions? Concerns? Please contact GW Information Technology at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Phishing diagram
From Wombat Security

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that normal people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often times phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

       

Smshing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings when possible (online or in person)

spectre and meltdown graphic

By now you have likely heard of the security vulnerabilities known as "Meltdown" and "Spectre." The purpose of this blog post is to give you a brief description of these vulnerabilities and what you need to do to mitigate the associated risks.

Let's discuss Meltdown first. Meltdown is the name given to a CPU (central processing unit; basically the microchip that runs your computer) design flaw that affects the security boundaries enforced by the CPU or processor. It essentially breaks down the boundary that separates user applications from accessing privileged system memory space. The Meltdown vulnerability is confirmed to exist in all Intel processors since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo.

Spectre is similar but different in some important ways. Spectre is the name given to a CPU design flaw that allows an attacker to utilize a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre can only read memory from the current process, not from kernel or system memory. Also, unlike Meltdown, Spectre is confirmed to affect Intel, AMD, and ARM processors. This includes computers, tablets and smartphones made by popular vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo. The relatively good news is that it is much more difficult to successfully exploit Spectre and the attack surface is limited to user space processes, e.g. web browsers, desktop applications.

There's two important things that we want you to know about these vulnerabilities. If you remember nothing else, remember this:

1.) Don't panic. While these vulnerabilities are widespread and definitely very bad, there is no need to panic. There's no need to go buy a new computer or go back to using pen and paper. You may read some very scary media reports about the potential impacts of these vulnerabilities. This is common when widespread vulnerabilities are announced.

2.) Keep your software up-to-date. This is good cyber-hygiene no matter the circumstance. This includes your operating system (Windows, MacOS, Linux, iOS, and Android), your browser (Microsoft Edge, Google Chrome, Firefox, Safari), and your browser plug-ins. Vendors are working very hard to produce software to mitigate the risks of these vulnerabilities. Make sure you install these updates when they are available.

If you have any questions about how to make sure that you're running the latest software, call the IT Support Center at 202-994-4948 or e-mail ithelp@gwu.edu.

Want to learn more? Check out the following:

Apple announcement: https://support.apple.com/en-us/HT208394

Simple, brief write-up by security researcher Daniel Miessler: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

Vulnerability website: https://spectreattack.com/