Skip to content

Phishing occurs when criminals try to get us to open harmful links, emails or attachments that could request our personal information or infect our devices. Phishing messages or “bait” usually come in the form of an email, text, direct message on social media or phone call. These messages are often designed to look like they come from a trusted person or organization, to get us to respond.

The good news is we can avoid the phish hook and keep our accounts secure with these tips!

Stay Safe with Three Simple Tips

1. Recognize

Look for these common signs:

  • Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
  • Requests to send personal and financial information
  • Untrusted shortened URLs
  • Incorrect email addresses or links, like amazan.com

A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI) some emails will now have perfect grammar and spelling, so look out for the other signs.

2. Resist

If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report via the “report spam” button in the toolbar or settings.

3. Delete

Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.

If a message looks suspicious, it's probably phishing. 

However, if you think it could be real, don't click on any link or call any number in the message. Look up another way to contact the company or person directly:

  • Visit a verified website for the company and use this contact information. To find verified websites, search for the site in your web browser or type the address yourself if you’re sure you know it.
  • Use another way to reach the person to confirm whether they contacted you. For example, if you get a strange message from your friend on Facebook, and you have their phone number, text or call them to ask if they sent the message.

GW faculty, students, and staff can forward suspected phishing emails to abuse[@]gwu.edu.  This account is monitored by the GW IT Security team.  They investigate phishing reports to ensure that others at GW do not have the phishing message in their inbox.

Additional Tips available on the Secure-Our-World-Phishing-Tip-Sheet  as well as in the following video published by CISA.

Recognize and Report Phishing (Audio Description)

Posting content obtained from https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

Creating, managing, and using complex passwords for the many sites and services we all access is a daunting task.  While password managers can assist with the memorization and management challenges, traditional passwords do not leverage modern security capabilities.  A rapidly evolving technology involves passkeys in place of passwords.  At a basic level passkeys leverage your personal computer, mobile device, or even a password manager to provide a validated (through finger print for example) encrypted response to login challenges from a website you have an account on.  This process effectively replaces the matching of a password you submit to one stored on the site.  In the passkey scenario you are providing an encrypted answer to a unique challenge and all of the communications are encrypted.  Through the use of public key and private key technology and in underlying technology, your identity is verified and access granted without your private key being transferred.   There is a more technical explanation of the passkey process here: Passkey (Passkey Authentication) Technopedia June 2023. Basic passkey process steps:

  1. You establish a passkey on a website that supports it using a device that supports the technology.
  2. Once established, when you access a site instead of entering a password, your device will ask you to verify your identity
  3. You use device-based authentication (PIN number, fingerprint, or facial recognition) on your personal device to authorize website access.
  4. Your device responds to the site through an encrypted message confirming your identity.
  5. The website then grants you access.

The process of the challenge question to your device and the messaging back to the site is encrypted, your private key is not transferred, and information about the web site all combine to make this login approach more secure than using passwords.  Using passkeys should help reduce inadvertent credential compromises through fraudulent websites with the added safeguards built in around site verification. A PCWorld article - Passkeys Explained: How to Embrace a Passwordless Future Today from May 2024 has additional information on passkeys and notes there are directories of providers that support passwordless logins:

Services with passkey support

There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.ioPasskeys Directory, and Keeper, among others.

If you utilize a password manager, most offer support for managing and using passkeys. Cloud services can enable passkey use across multiple devices.  While there are many options to explore a simple way to get started would be using solutions from vendors deeply connected to devices and the device operating systems software like Google, Apple, and/or Microsoft.

Ars Technica published an article in May of 2023 with frequently asked questions about passkeys  Passkeys may not be for you, but they are safe and easy—here’s why   The article covers common questions about privacy, personal account security, and trust.  The following excerpt from the site recaps how the passkey process works while enhancing your personal cybersecurity. (emphasis added).

Que: Passkeys give control of your credentials to Apple/Google/Microsoft, to a third-party syncing service, or to the site you’re logging in to. Why would I ever do that? Ans: Assuming you’re using a password to sign in to a service such as Gmail, Azure, or Github, you’re already trusting these companies to implement their authentication systems in a way that doesn’t expose the shared secrets that allow you to log in. Logging in to one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials that they had before.

The reason is that the private key portion of a passkey never leaves a user’s encrypted devices. The authentication occurs on the user device. The user device then sends the site being logged in to a cryptographic proof that the private key resides on the device logging in. The cryptography involved in this process ensures that the proof can’t be spoofed.

Key takeaways:

  • Passwords will still be present for many sites for some time.
  • Passkeys provide more secure authentication for sites and device that support them.
  • Explore passkeys on a couple of sites and expand your use as you gain experience.
  • It is a good idea to try the technology, as it will become more prevalent and in some cases required to access web applications.

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Before spilling your digital secrets to ChatGPT or other AI tools, remember it's more sieve than vault!  The amount of stolen ChatGPT accounts is just unbelievable. Why? Because criminals know people copy/paste sensitive data into ChatGPT conversations. Here are a few tips to keep you safe when using any AI tools:
  1. Beware of fake AI apps and browser extensions that may be malware or phishing scams
  2. Never enter sensitive information or PII while using AI tools
  3. Treat AI tools like a knowledgeable but overconfident friend, and use them cautiously
Want even more tips on how to stay safe using AI? Continue reading or watch this 1-minute video: (material by Wizer-training.com)
  • Never enter sensitive information of personally identifiable information (PII) while using AI tools.
  • Remove mentions of GW, faculty, staff and student names from content put in AI tools.
  • Ensure that AI-generated information is validated through other sources prior to using.
  • Understand potential bias in AI-generated content.
  • Thoroughly review AI-generated code before using.
  • Treat AI tools like a knowledgeable but overconfident friend and use them cautiously.
  • Content provided by wizer-training.com

The National Cybersecurity Alliance partnered with Consumer Reports to bring you a new animated video [opens YouTube link] about how you can take control of your data! Check out "The Tale of Privacy Peyton" below, and download Consumer Reports' Permission Slip.

Image of for Tale of Privacy Peyton Video

Content from National Cybersecurity Alliance. (2023, November 22). Take control of your data.

ALL YOUR ONLINE ACTIVITY GENERATES A TRAIL OF DATA

Your online activity creates a treasure trove of data. This data ranges from your interests and purchases to your online behaviors, and it is collected by websites, apps, devices, services, and companies all around the globe. This data can even include information about your physical self, like health data – think about how an app on your phone might count how many steps you take. 

You cannot control how each little piece of data about you and your family is collected. However, you still have a right to data privacy. You can help manage your data with a few repeatable behaviors. Your data is valuable and you deserve to have a say! 

Here are some simple, easy tips you that will help you manage your data privacy:

Know the tradeoff between privacy and convenience 

Nowadays, when you download a new app, open a new online account, or join a new social media platform, you will often be asked for access to your personal information before you can even use it! This data might include your geographic location, contacts, and photos.

For these businesses, this personal information about you is tremendously value — and you should think about if the service you get in return is worth the data you must hand over, even if the service is free.

Make informed decisions about sharing your data with businesses or services:

  • Is the service, app, or game worth the amount or type of personal data they want in return?
  • Can you control your data privacy and still use the service?
  • Is the data requested even relevant for the app or service (that is, “why does a Solitaire game need to know all my contacts”)?
  • If you haven’t used an app, service, or account in several months, is it worth keeping around knowing that it might be collecting and sharing your data?
Adjust privacy settings to your comfort level

For every app, account, or device, check the privacy and security settings. These should be easy to find in a Settings section and should take a few moments to change. Set them to your comfort level for personal information sharing; generally, we think it’s wise to lean on the side of sharing less data, not more.

You don’t have to do this for every account at once, start small and over time you’ll make a habit of adjusting all your settings to your comfort. We have in-depth, free resources like our Manage Your Privacy Settings page that lets you check the settings of social media accounts, retail stores, apps and more.

Protect your data

Data privacy and data security go hand-in-hand. Along with managing your data privacy settings, follow some simple cybersecurity tips to keep it safe. We recommend following the Core 4: 

Manage Your Privacy Settings

Content in this post includes recommendations and suggestions for password creation and management as well as information on training materials available to the GW community.  This resource guide is presented as part of the Cybersecurity is a Shared Responsibility awareness campaign.  The GW IT Security team provides these posts to support increased awareness and knowledge across all stakeholder groups.  The principle the posts follow is that cybersecurity is a shared responsibility for all users.  Suggestions on content, areas of focus, or to arrange team training should be directed to infoec@gwu.edu.

Persistent cyber-attacks target personal, organizational, and system accounts.  The resources and training modules below are designed for various technical knowledge levels.  Some resources including some training modules may require access to restricted content.  Access restrictions for any sites requiring access will be noted.  External links to sites not controlled by GW will also be noted with an external link notation.  Details on organizations providing the external materials are listed at the bottom of this article in the event you are not familiar with the acronym or function.

Password Strength and Complexity Resources, Articles, and Guidance

Increased understanding of the need for strong and complex passwords as well as emerging security technologies is critical to ensuring your data and access to your systems and services are secure.

Password Managers

Password managers are applications used to store passwords.  Generally, provide a convenient place to store all of your passwords, requiring you only remember the password manager master password.  These solutions can be installed on devices, access through cloud services, and/or integrated into web browsers.  They provide convenience of only remembering one password to access a tool that contains all of your unique passwords.

The Best Password Managers | PCMag – External Content Hosted by PCMag

Training Modules

The following modules are available to faculty and staff through GW’s Talent@GW system.  Search for training titles in the Learning -> Browse for Training menu after logging into Talent@GW.  Managers can assign training to staff through the Talent@GW system as well.

Creating Strong Passwords - Security Awareness Training

Audience – Introductory Level of Technical Knowledge

Talent@GW Search Term - Password Security

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Privileged Access (8 minutes)

Audience – Intermediate Level of Technical Knowledge Required

Talent@GW Search Term  -Privileged Access

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Windows Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Windows Administration

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Linux Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Linux Administration

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Database Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Database Administration

Content Provider and Location:  KnowBe4 Module Accessed Through Talent@GW

 

Securing Windows Server 2016: Managing Privileged Identities (1 hour 7 minutes)

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2016: Server Hardening Solutions

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2019

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2019

Content:  LinkedIn Learning Module Accessed Through Talent@GW

 

Securing Windows Server 2016: Managing Privileged Identities (1 hour 7 minutes)

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2016: Server Hardening Solutions

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2019

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2019

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Password Guidance and Reference Materials Sources and Organizations

CISA https://www.cisa.gov/ - CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. We are designed for collaboration and partnership. Learn about our layered mission to reduce risk to the nation’s cyber and physical infrastructure.

ISACA  https://www.isaca.org/about-us  - As a globally recognized leader in IS/IT for over 50 years, ISACA is a professional membership organization committed to the advancement of digital trust by empowering IS/IT professionals to grow their skills and knowledge in audit, cybersecurity, emerging tech and more.

SANS sans.org launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.

Do you get a little chill thinking about the dozens of login credentials you have set up throughout the wilderness of the internet? If so, don’t worry – you aren’t alone. Identity management, sometimes called identity and access management (IAM), increases in importance every year. That’s why we celebrate Identity Management Day!   

Identity management, though, is not just a concern for businesses and organizations. You can help protect your data by understanding and implementing some simple identity management practices. You have the power to own and maintain your digital identity!  

CONFIGURE YOUR SECURITY SETTINGS  

Every time you sign up for a new account, download a new app, or get a new device, immediately configure the privacy and security settings to your comfort level. Check the settings on old accounts and delete any apps or accounts you no longer use.  

DON’T TAKE THE BAIT  

If you receive an enticing offer via email or text, don’t be so quick to click on the link. Instead, go directly to the company’s website to verify it is legitimate. If you’re unsure who an email is from—even if the details appear accurate—or if the email looks “phishy,” do not respond and do not click on any links or open any attachments found in that email as they may be infected with malware. Report phishing to your organization’s IT department or your email provider.  

SHARE WITH CARE  

Think before posting about yourself and others online, especially on social media. Consider what a post reveals, who might see it and how it might affect you or others. Personal information readily available online can be used by attackers to do a variety of things, including impersonation and guessing usernames and passwords.  

SHIELD YOUR PASSWORD WITH MFA   

Multi-factor authentication (MFA), or as referred to in GW as 2-Step Authentication, will fortify your online accounts by enabling the strongest authentication tools available, such as biometrics or a unique one-time code sent to your phone or mobile device.  

USE A PASSWORD MANAGER  

Use password managers to generate and remember different, complex passwords for each of your accounts. While not a perfect solution, a password manager is currently the most secure way to send passwords and other login credentials to family members or coworkers. Duplicating passwords or using common passwords is a gift to hackers. If one account is compromised, a hacker will typically try the same username and password combination against other websites.  

TURN ON AUTOMATIC UPDATES  

Keep all software on internet connected devices – including personal computers, smartphones and tablets – current to reduce risk of infection from ransomware and malware. Configure your devices to automatically update or to notify you when an update is available. Software updates often fix security flaws. Outdated software can be riddled with security holes easily exploited by attackers.  

For more tips and advice, visit www.identitymanagementday.org/  

Original blog content provided by The National Cyber Security Alliance. For the original post, click here. 


For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu 


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), or visit ithelp.gwu.edu 

Between all of your online accounts, whether personal or work accounts, you probably have many unique — and complex — passwords to manage.  And since you know better than to write them down in a notebook, have them on sticky notes hidden under your mouse pad, or stored digitally on your desktop, what are you supposed to do? 

Passwords are one of the most vulnerable cyber defenses used to protect our online accounts, as passwords are the only barrier between online accounts and cybercriminals who have a desire to access to our data and systems. Utilizing a password manager is a security best practice that cyber professionals are recommending for us.  

Along with other security tips, password managers minimize the risk of mis-managing our passwords. The question that arises here, are password managers secure, and what is our responsibility here to manage the password manager? 

What is a Password Manager?

A password manager is a software that allows users to generate passwords, store and manage accounts’ information including user names and passwords all in one location. Password managers offer other features such as complex password suggestions, identifying weak or repeated passwords used, and alerting its users from entering their credentials to suspicious websites. To create a password manager account, you need to set a password that is often referred to as the “master” password. 

Password managers are available in different formats: 

  • An online service hosted by a third party and accessed through a website portal. This type is useful if you need access to the password manager from multiple devices. 
  • Software installed locally on a workstation that can operate either completely offline or connected to the internet to synchronize your information to a cloud database and get software updates.  

Are Password Managers Secure? 

Password managers will offer users the security level they are looking for to their accounts’ credentials and information if they follow best practices to secure their password manager account.  Whether you use, or planning to get, an online, or an offline password manager, you need to follow the following practices: 

  • Do your research and get a trusted password manager software that has a high reputation in the industry. 
  • Use a strong master password for your password manager account and never forget it. Some password manager vendors would never retrieve your account if you can’t remember your master password. 
  • Enable two-factor-authentication (2FA) to your password manager account for an extra layer of security.  
  • Keep your password manager software along with web browsers you use up-to-date. 
  • Audit the list of devices that are approved to access your password manager. 
  • For work-related accounts, always use password managers that are approved by your organization. Follow your organization’s policies, standards and procedures when processing, storing or sharing work-related data. 

Remember, if password managers are managed appropriately, they will offer you the level of security you are looking for to your online accounts’ passwords. 


This blogpost is offered to you by the GW Information Security and Risk Services team. 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Cloud computing is a leading edge technology that delivers high-demand computing services entirely over the internet. Operationally, cloud computing stores, manages and processes data effortlessly rather than relying on a local server or personal computer systems. Cloud computing gave birth to the term, “cloud storage.” 

Cloud storage stores digital data online using a cloud service provider’s computing infrastructure. Some well-known cloud services include Box, Google Drive, Apple iCloud, Dropbox, Microsoft OneDrive, and Amazon Web Services. With many of us working hybrid schedules, cloud storage has been central to assisting students, faculty and staff work more connectively while being physically away from the university. For example, at GW, secure, encrypted cloud-based solutions such as Box and Google Drive are two of the cloud services provided to the university community for easy collaboration and data storage. 

The following are some key benefits of cloud storage: 

  • Adequate security, which requires authentication and password.
  • Your files are secure, and you are less likely to lose data due to device failure.
  • Facilitates collaborative team projects as you can easily share files and folders.
  • Easy access to lesson plans and notes to share across several devices.
  • An excellent way to back up your computer without copying your data to a hard disk or flash drive. 

While cloud storage offers good security measures to keep your data safe and secure, you need to do your part to guarantee that no one gains unauthorized access to your data. Following are some recommended practices to help you secure your data: 

Use Permissions: When a folder or file is shared, it's usually in the form of a link or permission using the recipient's email address. Consider setting different access levels for senior staff members or on a need-to-know basis. Permission-based access can make it harder for a hacker to get through each layer of permissions. 

Manage File and Folder Sharing: Protect stored data by limiting shared access to the files or folders associated with that link to specific users. When utilizing Box or Google Drive, it is usually best to only share files or folders with George Washington University members unless there is a business justification to share outside of the university. 

Examine Files and Folders: Review the shared folders and files regularly, and disable shared access when it's no longer required.

For more information on Storage, backup or document management, please visit our GW IT website: https://it.gwu.edu/backup-storage-document-management    


This blogpost is offered to you by the GW Information Security and Risk Services team. For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu 


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu.   

Cybersecurity has become one of the most significant hot topics inside and outside technology circles over the last two years. From securing learning devices due to a rise in digital learning during the COVID-19 pandemic to coping with the fallout of high-profile breaches of national infrastructure such as the Colonial Pipeline, there is an evidently constant news cycle dedicated to cybersecurity mishaps and concerns. With this continuous stream of bad news, it can be challenging for you to know how to keep secure in the face of cybersecurity and threat actors. 

Everyday users have a huge role in cybersecurity threat prevention, detection, and remediation. According to a Wall Street Journal article, many hacks are successful by convincing someone inside or close to the target company to divulge network access credentials or other critical information. Therefore, GW’s first line of defense in helping to combat cyber-related issues is you. 

Here are 4 essential best practices that you can adopt today to enhance your cybersecurity and create a more secure cyberspace for you and GW.  

Watch out for Phishing Attempts

Phishing is when a threat actor poses as a legitimate party such as a bank, delivery service or other organization in an attempt to get individuals to click harmful links. Phishing remains one of the most popular tactics used  today. In fact, 80% of cybersecurity incidents stem from a phishing attempt. While phishing has gotten more sophisticated, the phishing signs remain the same. Look for typos, poor graphics, and other suspicious characteristics (incorrect logo or email address) as these can be red flags indicating that the content is a phish. In addition, if you think you have spotted a phishing attempt while logged into the GW network, report the incident to GW IT immediately. To report an incident please contact the GW Information Technology Support Center at 202-994-GWIT (4948) or email abuse@gwu.edu

Update your Password

Password cracking is another tactic that cybercriminals use to access sensitive personal information.  To guard against password cracking, having unique, long and complex passwords is one of the best ways to boost your cybersecurity immediately.  It is highly recommended not to repeat passwords across your accounts because once a hacker cracks one account, they can easily do the same across all of your accounts. 

Passwords can be tough to remember. That’s why it’s smart to use a password manager to help you secure your various passwords in one place. Password managers are easy to use and can automatically plug-in your stored password when you visit a site. Along with other security tips, password managers minimize the risk of mis-managing account passwords.

Take Advantage of Secure Wi-Fi 

Mobile hotspots and public Wi-Fi networks are typically not password-protected,  so it’s easier for threat actors  to gain unauthorized access to devices. Students, faculty, and staff should take full advantage of the university Wi-Fi networks when on campus. They are password-protected and only allow internet access across the university premises, operating as a secure online bubble for every user to work in peace.  

Lock your Device

Whenever you're logged into your devices (computer, laptop, phone, etc.),  you’re also open to potential unauthorized access by hackers and other threat actors.  The easiest way to prevent unauthorized access to your device is to lock it whenever you leave it unattended. All you have to do to get back on your device is enter the correct password, and you can pick up where you left off. If you wouldn't leave your house with the front door wide open, you should not leave your devices unlocked, especially when they are unattended.  


This blogpost is offered to you by the GW Information Security and Risk Services team. For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security  

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu.  


Original blog content provided by The National Cyber Security Alliance www.stayfaeonline.org, modified and posted with permission.