How to password/pin/thumbprint protect your device
- PC - Select Start, Control Panel, Add User Accounts, Your Account Name, Create a Password
- Mac - Apple Menu, System Preferences, Security & Privacy, General tab
- Android: select Settings, Security
- iOS: select Settings, Touch ID & Passcode.
How to encrypt your device
- PC - Make sure your LCC computer is connected to the LCC network, select Start, Control Panel, BitLocker Drive Encryption.
- Mac - Select FileVault
- Android: select Settings, Lock Screen & Security, Protect Encrypted Data
- iOS 8+: the device automatically encrypts.
How to install, use, and update antivirus software
How to install the latest software updates
plugins (such as Java or Adobe Flash), as well as operating systems, are up-to-date (enable Future Automatic Updates) so that known flaws are fixed.
- PC - Windows 10 will automatically check for updates. You can also check for updates by searching for Windows Updates in the Win10 taskbar.
- Mac - Select Apple menu, App Store, Automatically Check for Updates.
- Android: select Settings, System Updates
- iOS: select Settings, General, Software Update.
How to wipe the device before selling/recycling/donating (for your personal devices)
How to remove unnecessary software
How to enable and configure a firewall
How to backup your data to external media (disc, external hard drive, etc.)
Make a routine copy of your files (at least monthly), and keep a copy at a different location than your home/apartment. If you store files on your local workstation, smartphone, or thumb drive and get infected with malware, you have no way to recover those files if they are not backed-up.
How to browse safely
In the offline world, communities are typically responsible for enforcing norms of privacy and general etiquette. In the online world, new etiquette challenges abound. The internet can be a dangerous place. Some websites are set up or compromised by criminals and can automatically push malware to your computer without your knowledge. This includes computer viruses, worms, and other types of malware. This type of internet danger can cause harm to an individual's computer which would result in financial harm, privacy issues and potential identity theft. Here's how to avoid suspicious websites:
- Check the website's certificate
- Do this by going to the "File" menu and then select "Properties". Click the "Certificates" box and make sure that the certificate's name matches the name of the web site.
- Look for a padlock, key, or https in your browser
- A locked padlock, a key, or https: in the URL indicates a secure, encrypted connection.
- Do not submit personal info unless it's a secure connection (https) and always log out of your accounts.
- Scan the web site URL using a free online scanning service. Simply paste the web site URL into virustotal.com and hybrid-analysis.com to see if the site contains malware.
- Read the URL carefully. If this is a website you frequent, is the URL spelled correctly? Often times, phishers will set up websites almost identical to the spelling of the site you are trying to visit. An accidental mistype may lead you to a fraudulent version of the site.
- Use your common sense. Does a website look strange to you? Is it asking for sensitive personal information? If it looks unsafe, don't take the risk.
- Look for signs of legitimacy. Does the website list contact information or some signs of a real-world presence. If doubtful, contact them by phone or email to establish their legitimacy.
- If it looks too good to be true, it probably is. Is the website offering you a product or service at an unheard of price? Or maybe they are promising you a huge return on investment? If the offer looks too good to be true, trust your instincts. Do some research to find reviews or warnings from other users.
- Do not let google, or a web site 'remember your information' - this is easily stolen
- To clear your browsers memory, go to:
- In Internet Explorer: Select tools, delete browsing history, passwords.
- In Google Chrome: Select menu, more tools, clear browsing data, passwords.
- To clear your browsers memory, go to:
- Check the website's certificate
How to identify phishing emails
Fraudsters send fake emails or set up fake web sites that mimic LCC's sign-in pages (or the sign-in pages of other trusted companies, such as eBay, PayPal, or Office365) to trick you into disclosing your user name and password. This practice is sometimes referred to as "phishing" - a play on the word "fishing" - because the fraudster is fishing for your private account information. Other fraudsters are trying to get you to visit malicious web sites or open a malware-infected attachments.
It's ok to open the email, but you must not open attachments, enable Office attachment macros, open links, download the pictures, enter the email-provided password into an email attachment (this is common for encrypted attachments because they can't be scanned by antivirus software), or provide your login credentials.
Phish email red flags may include:
- Unsolicited email – this is the biggest red flag, were you expecting the email?
- Check the Sender
- A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Let's say you receive an email that appears to come from a known person, such as your boss. You need to do more than look at the name, look at the email account too! If the email comes from firstname.lastname@example.org, email@example.com or from any domain other than the one you would expect (in this case firstname.lastname@example.org), then assume that the email is fraudulent! Official LCC emails will always come from an lcc.edu email address.
- Phishers commonly use a 'free' email account (hotmail.com, yahoo.com, gmail.com, etc.)
- Does the sender address (From:) match the sender's contact info in the body of the message?
- Check the Greeting
- Often, spoofing and phishing emails are often generated automatically and aren't well checked. If the greeting isn't a normal professional salutation, then beware of the email.
- Check the sender's signature block
- Lack of details (or no contact information), or an unfamiliar signature style may be indicators that the email you received is not legitimate.
- Sender asks multiple times for you to open the attachment/link
- Out-of-context requests (why is someone submitting a resume to you?)
- Account cancellation and suspension warnings (urgency plus consequences) are often used to scare someone into divulging work, personal, and financial information.
- Spelling errors, poor formatting, grammatical mistakes, janky graphics and other obvious
- A bad spoofed email may be easy to spot, but a well done spoofed email can be difficult to identify. Look for the little things. Nobody is perfect, but a legitimate email that is professionally done will be checked and double checked before it is sent out. Chances are you won't find spelling, formatting, or grammatical errors.
- Does the message ask for any personal information (password, credit cards, SSN, etc)?
- Does the message ask for sensitive information about others?
- Does the message ask you to immediately open an attachment?
- Don't trust or click on logos
- Just because you see a familiar logo, doesn't mean that the email is legitimate. Logos are easily copied and pasted into emails to lend a sense of legitimacy. Clicking on a logo in an illegitimate email can take you to a website that may ask for personal information or even directly compromise your computer.
- Call the sender to verify the legitimacy of the email.
- Don't click the link
- As a user, you should use caution and double-check embedded email links by using the ‘hover method.' This means to move your mouse pointer over the email embedded link without clicking and the true address of the link will appear. If the link is not one you recognize, then you are being sent to a malicious web site!
- When hovering over the link, does it look like the link belongs to the organization sending the message? Does the hover-text link match what's in the text? Do the actual links look like a site with which you would normally do business?
- Most LCC emails that contain a link will ask you to go to the page on your own and not contain an embedded link. If there is a link present, hold your mouse over the link and it will show you the "real" link that you will be sent to.
- Remember, just because the link looks like it will take you to an LCC site, doesn't mean it will. The best practice is to type the URL into the browser yourself.
- Scan the web site URL using a free online scanning service. Simply paste the web site URL into www.virustotal.com and hybrid-analysis.com to see if the site contains malware.
- Don't click on attachments
- Never click on an email attachment unless it is something that you are expecting. Spoofing and phishing emails often contain malicious attachments and many cannot be detected by your computer's anti-virus software.
- Never enable macros in a Microsoft Office attachments
- Never enter a password into an attachment that is provided in the email.
- Scan the attachment using a free online scanning service. Simply paste the web site URL into www.virustotal.com and hybrid-analysis.com to see if the site contains malware.
- Finally, when in doubt, throw it out
When you receive emails that appear suspicious, you can send them to LCC Help Desk (email@example.com, 517-483-5221) or LCC Information Security (firstname.lastname@example.org, 517-483-5264) and we will review them for legitimacy.
How to know if a website or URL link is safe?
How to respond to accidentally emailing your email/username & password/passphrase
You should change your password/passphrase immediately at the associated website! For LCC usernames and passwords, go to my.lcc.edu and select ‘Change my Password'.
How to respond to accidentally emailing your personal information
Personal information includes things such as: address, bank/financial account number, credit card number or information, answers to security questions, other personal information, or driver's license/license plate. While there's no way to "unsend" the email, many of these pieces of information are changeable (especially credit card numbers). Contact the appropriate organization or financial institution.
How to respond if your email account gets hacked/compromised
First, contact the LCC Help Desk (email@example.com or 517-483-5221) immediately so we can ensure the security of your system and information.
Then follow these steps:
- Change your password immediately! Go to myLCC and select "change my password". Make your password stronger, stranger and less "you." That means no birthdays, addresses, kids' names, dogs' names, maiden names, favorite movie names, favorite band names, or anything else that you might otherwise feature on your Facebook page. If you can't log in to change your password, go to my.lcc.edu and select "forgot my password" to recover it. If that doesn't work, call the LCC Help Desk.
- Notify everyone on your contact list that you have been compromised and they should look at any communication from you with suspicion for the time being. Further, they should double down on their computer protection. If they have already been victimized, offer your condolences and support, and make sure they are following these steps, too.
- Scan your computer with an updated anti-virus program. Don't think that sophisticated email hackers are in it for the fun of grabbing your email and then doing a spam conga line. Often their goal is much more insidious. Why crawl into a life unless you can truly monetize it? They may have inserted malware into your system so that they can conduct recon and report back all of your passwords or your other personal information. I recommend downloading a free malware scanner called Malwarebytes, and run a full scan of your computer. I would also download an additional free malware scanner that specifically targets spyware called Super Spyware, and run a full scan of your computer. I also recommend running an up-to-date antivirus program on your computer at all times. Windows 10 provides a free antivirus program called Windows Defender.
- Consider changing your security questions. If the hackers had your password they might have seen your account recovery challenge questions (e.g. what is your pet's name). Choose new questions and get creative in your answers. Trust me -- you want them out of your life and not as permanent pen pals.
- Check Everything! It's difficult to list all of the things that a hacker could change after they access your account. One common technique is to set up new email rules. Make sure the cyber ninjas haven't created forwarding email addresses and if you find any delete them immediately. Also, look carefully at the signature block (if you've set one up) and make sure it's really yours. The hackers may have included some malicious links there too. Hackers can change the Reply-to address so that people replying to your email reply to the hackers instead. Sometimes, it's obvious that the reply address is completely different. Other times, there will be very subtle changes, like a single letter difference in the email address that the person replying to you doesn't notice. Hackers can also add, remove, or alter entries in your contacts or address book. You may think you're sending something to Aunt Mary, but it might not be her at all. They can modify your spam filter settings and rules. In other words, they can make sure that you see all of the spam that's headed your way. They could even alter what server is used to send mail. For example, Gmail allows you to specify an alternate server to be used when you send email. There are various reasons for this, but it allows you to use your Gmail account to send email from a non-Gmail email address. A hacker can change or even add that configuration without you realizing it. After they do, all of the email you send would go through a hacker's email server rather than Google's servers.
- Check your email folders. Folks have a tendency to send financial or personally identifiable information to others via email and then archive (in the sent email folder) the offending email in a file in their system. If so, immediately go to whatever account is identified and change the user ID and password. Again, if the hacker was snooping around, what did he/she see?
- Change passwords or security questions for other web sites. In the event you re-used your account passwords or security questions with any other site, change them, too. Too often we opt for convenience (or simplicity) over security and use a single password for multiple websites -- including financial services, social media, retail or secondary email sites. Not a good idea. In fact it's a very bad idea. Change all of them and use different passwords for each. I've seen hacker programs that take your login & password and try it on all bank and broker web sites, social media (think Facebook, Twitter, etc), and utility (gas, electric, etc) web sites, in about 5 minutes! If you reuse passwords, hackers might now be emptying your bank account, posting an obscene status on Facebook, and shutting off your electricity. Good times!
- Start Backing Up. One of the common results of a hacked email account is that the hacker erases your contacts and email. Everything, gone. Yes. That happens sometimes. It's often part of a hacker not wanting to leave a trail – they delete everything in the account: everything they've done along with everything you've done. Before this ever happens to you, check the settings on the email account to see if you can back it up. In Google email, go to My Account, Account Settings, Download Data, and the Download a Copy. This will archive your email and data.
- And finally, monitor! Assuming that the hacker in question was able to find either your Social Security Number or other valuable pieces of personally identifiable information, it will become important for you to monitor your credit and various financial accounts for suspicious activity. You can get a copy of each of your three major credit reports for free once a year at AnnualCreditReport, and you can use tools like Credit Report Card for an easy to understand overview of your credit history, along with your credit scores. Finally, you might also wish to contact the fraud department of one of the big three credit reporting agencies and have a fraud alert put on your file, or you may even want to ask them to "freeze" your credit.
If you are wondering "How did they get into my account?" There are many ways:
- The most common method is a phishing email. Don't fall for email phishing attempts. If they ask for your password (or bank account), they are bogus. Don't share your password with anyone. Ever. Ever. Don't click on links in email that are not 100% certain of. Many phishing attempts lead you to bogus sites that ask you to login and then steal your password when you try. And don't open attachments, simply clicking on the attachment installs malware on your computer without your consent.
- Don't re-use passwords. If you do, perhaps one of your other accounts was hacked and they tried the same password on your email account.
- If you're using free WiFi hotspots, use them safely. Typically all traffic is unencrypted, that means anything you do could be watched, so don't ever enter a login or password, you've just handed over the keys to the kingdom (that's nerd speak for ‘Big Mistake').
- You might also have malware on your device that is stealing your account information. Keep the operating system and other software on your machine up-to-date and run up-to-date anti-malware tools.
- Consider multi-factor authentication where simply knowing the password is not enough to gain access. Most services do support this, check Two Factor Auth for a list of websites that support two factor authorization.
How to send social security or credit card numbers in email
Never send Social Security Numbers (SSN) and Credit Card Numbers (CCN) through email. First, SSN's are Personably Identifiable Identifier (PII) and can be used to steal a person's identity. If stolen, the criminal could make loans, get a driver's license and file a bogus tax return. Second, email is unencrypted so anyone with access to any spot on the path can load a free sniffer to capture all of your information. This means that you should assume your email is being searched and saved by criminals. It's the equivalent of entering your SSN or CCN into an unencrypted/http website, or mailing the information on a postcard!
There are several solutions to minimize risk of sending SSN's and CCN's: snail mail, hand-delivery, and fax are better options with lower chances of exposure to criminals. If you must email the information, then you have several options. First, leave the SSN/CCN off the document, and after delivering the document, follow-up with a phone call to pass the SSN/CCN to the recipient. Second, encrypt the email's info using MS Office Encryption, Adobe PDF encryption, or a free file encryption tool called 7-Zip, available at www.7-zip.org. Instructions can be found in the Secure Email Procedure Knowledge Base article.
- Open the Adobe PDF and choose Tools > Protect > Encrypt > Encrypt with Password
- Open the Office file and select Info--Protect Document/Workbook/Presentation, Select Encrypt with Password
How to set up a strong password
A well-chosen password improves the security of your account, files, and computer. Given sufficient time and resources any password can be guessed. We can protect our resources by making our passwords as difficult to guess as possible, thereby increasing the amount of time required to guess them.
A password is only as good as it is unpredictable. One of the most common methods used to break into computer systems is to look at a list of the users and try to guess their passwords. It is a simple task to write a program which tries such obvious things as the user's name (capitalized or not), common nicknames, the user's phone number, and any word found in a standard dictionary.
One of the greatest strengths of a password comes from its variety. There are 47 keys on the standard US keyboard that have two possible output characters usable in a password, giving a total of 94 possible characters that can be easily chosen for use in your password. The more you make use of this variety, particularly the more obscure portions of it, the less likely it is that someone will guess your password quickly.
One of the greatest strengths of a password comes from its length. Probability theory tells us that each additional character in a password multiplies the amount of work a password guessing program must do to break your password. A three-character password made up of only characters A through Z (in either upper or lower case) can be guessed in just over 140,000 tries, which can be done in milliseconds. A password of 8 characters potentially using the full 94-character space would require over 722 quadrillion (1 quadrillion = 1,000 trillion) guesses. The recommended minimum standard today is 12 characters in length.
A strong password combines length, variety and non-predictability. Advice for Choosing a Strong Password:
- Do NOT put special characters or numbers solely at the very beginning or end of the password (e.g., secret1, 1secret)
- Do NOT include runs of three or more characters (such as aaa)
- Do NOT use an identifiable sequence of numbers(patterns such as your Social Security number, birth date, telephone number, postal code, etc.)
- Do NOT include anything in your account information, such as your LCC login name, email address, or initials
- Do NOT use a simple pattern or sequence of keyboard characters (qwerty, zyxwvuts, 123321, etc.)
- Do NOT use LCC, Stars, variations of "password", months names, season (winter, summer, fall, spring), Lansing, Community, College, or Michigan in your password
- Do NOT make passwords based on personal information, such as first name, names of family, pets, friends, co-workers, fantasy characters, birthdays, addresses, etc.
The Passphrase Concept
A password is only good if you are the only person who knows it. Since complex passwords are hard to remember, people often resort to writing them down, or else choose less complex passwords. To make it easier, we suggest you use passphrases in place of passwords.
A passphrase might be created by taking a sentence and selecting the first letter from each word. For example, consider the following sentence: "A good password is long, complex, unpredictable, and known only to me". We could take just the first letter from each of these words to come up with the passphrase "agpilcuakotm". It's unlikely anyone will guess that is your password, but as long as you remember the phrase, you'll always be able to type the password.
Make substitutions of characters to increase the complexity. The passphrase "agpilcuakotm" is not very complex. To help that, we can do two things. One, we can add the commas from the phrase into the passphrase to get: "agpil,c,u,akotm". We can introduce random capitilization as well: "aGPil,c,u,akotm", and finally make substitutions like using the equal sign for "is" and the number 1 for "only" to get "aGP=l,c,u,ak1tm". It is very unlikely that anyone will guess this password randomly. Another common technique is to include the transposition of letters in the passphrase.
Another method is to create the password based on a unique phrase such as song lyrics, book quotation, or movie line. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Another is "The Stars basketball team is going to be number 1 this year!" would be "TSbtigtb#1ty!"
Another method is to choose a passphrase that contains handful of normal words or phrases, as long as whatever associates those words in your mind are known only to you, as explained in https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd.
Do not use the same password for Lansing Community College accounts as for other non-Lansing Community College access (e.g., Facebook, eBay, bank, Twitter, etc.). Use a unique password for every account.
To remember multiple unique passwords, consider using a password manager program--then you only have to remember one password (for the program), plus your laptop/phone lock codes. A password manager program, such as Keepass, a free password manager available at: https://keepass.info, is a small application or secure web site that stores all passwords in a single password encrypted file. Or enter your passwords in a Microsoft Word document or Excel spreadsheet and save it on a thumb drive. You can enable encryption and set the password protection by going to: File-Info-Protect Document-Encrypt with Password. Then when you open the file, you will be asked for the password.
Never share your passwords with anyone. No one at LCC, including the Help Desk, will ever ask you for your password. And it is best practice to not use the "Remember Password" feature of applications. Malware is designed to easily pull those unencrypted stored passwords.
How to store my passwords (password manager)
GOOD - Write down your passwords on paper and save it in your office drawer (locked when unattended).
BETTER - Enter your passwords in a Microsoft Word document or Excel spreadsheet and save it to your computer or thumb drive. You can enable encryption and set the password protection by clicking File-Info-Protect Workbook/Document-Encrypt with Password. Then when you open the file, you will be asked for the password.
BEST - I recommend a password manager program--then you only have to remember one password (for the program), plus your laptop/phone lock codes, and that's it! A password manager program is a small application or secure web site that stores all passwords in a single password encrypted file. I recommend Keepass, a free password manager, available at: https://keepass.info. It's best if you enable Keepass's 'Secure Desktop' option (where it opens a separate secure window), two-channel auto-type obfuscation, random password generation, and KeeForm (to fill in your credentials into web forms). And please make your ONE password an annoyingly long series of letters, numbers, and symbols that doesn't contain any recognized dictionary words. This will give you the best chance at password security.
How to enable two-step authentication where available on your critical accounts
Consider multi-factor authentication where simply knowing the password is not enough to gain access. Most services do support this, check Two Factor Auth for a list of websites that support two factor authorization.
How to have strong security question answers
It's recommended that you make up answers to the security questions that reset your password. That's right, it's time to lie! Answers to the typical security questions (mother's maiden name, high school mascot, etc.) are too easy to obtain. Go ahead and lie and make up an answer. For instance: your mother's maiden name is now 'Spartans.'
How to have strong physical security
Mobile devices, including laptops and smartphones, are the ones that are very often the target of thieves not only because they want to resell the device but also because they know the data on those devices can be far more valuable. College students have little privacy, and even less space. Communal areas, busy classrooms and crowded libraries are perfect opportunities for malicious minded individuals to steal your gear or "shoulder surf." So, here are a couple of tips on how to protect a mobile device:
- Mobile devices should never be left in a car.
- They should be never left unattended in public places like conferences, airports, restrooms, public transport, etc.
- The devices should be kept with the user the whole time, or stored in a facility with no public access – e.g., a room or an office that is locked when no one is present.
How to use public WiFi
- Assume all WiFi networks are suspicious-check with the receptionist to make sure you chose the wireless network provided by the coffee shop, doctor, etc.
- Never leave your device unattended-not even for a moment. You may come back and still see your computer where you left it, but a thief may have installed a keylogger into it to capture your keystrokes.
- Use public WiFi for quick browses only, such as Wiki, Google, etc.
- Do not e-mail messages of a sensitive or serious nature.
- Do not file share.
- If you must log into a secure website, make sure it is encrypted (HTTPS) throughout the browsing session (and make sure it doesn't drop back to HTTP).
- If available, use 2-factor authentication for login/password access to sites with confidential info.
How to use a social network safely
College students are one of the most socially engrossed demographics, but even an innocent selfie or check-in at your favorite coffee shop can reveal more than intended. Personal information shared on social sites can be the final puzzle piece hackers need to unlock identity theft. Be careful what you share, never disclose any personal information on public-facing online accounts.
I recommend limiting the amount of personal information you post or share - Do not post information that would make you vulnerable, such as your address, phone number, Social Security number, or other personal identifying information, to include information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections. Try these answers when you receive your next Facebook poll:
Where you are from: STOP
Favorite color: GIVING
First pets name: PEOPLE
Street you grew up on: YOUR
First child's name: PERSONAL
Favorite restaurant: INFO
Favorite teachers name: TO
First job title: GUESS
Favorite food: YOUR
One unpopular opinion you have: PASSWORDS
Favorite singer/band: AND
First type of car you had: SECURITY
Your mother's maiden name: QUESTIONS
- Remember that the Internet is public and permanent - Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, once you post information online, you can't retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people's machines. Even if you delete the account, you don't know if someone has already printed/copied your text or photos off of it.
- Be wary of strangers - The Internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
- Be skeptical - Don't believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action. Do you really know if a profile is real and not fake? If you suspect that a message is fraudulent, use an alternate method to contact your friend to find out. Only "friend" people you know in the real world.
- Evaluate your settings - Take advantage of a site's privacy settings. The default settings for some sites may allow anyone to see your profile, but you can customize your settings to restrict access to only certain people. There is still a risk that private information could be exposed despite these restrictions, so don't post anything that you wouldn't want the public to see. Sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
- Be wary of third-party applications - Third-party applications may provide entertainment and functionality, but use caution when deciding which applications to enable. Avoid applications that seem suspicious and modify your settings to limit the amount of information the applications can access.
- Check privacy policies - Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam. Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
- Turn off the GPS function on your smartphone camera: If you plan to share images online, make sure that you turn off the GPS on your device to keep your exact location private. You can also remove a pictures details by opening Windows Explorer and selecting all the image files you want to remove the metadata from. Right-click them and select Properties, Details tab and click the Remove Properties and Personal Information
- Close old accounts that you don't use anymore: Don't risk leaving personal data in an old account, such as a MySpace page you haven't used in years, or on an online dating site you no longer need. Instead, close the accounts you don't use and delete as much personal information from them as possible.
How to recognize, protect against and respond to identity theft
Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number, or other identifying information to take on that person's identity in order to commit fraud or other crimes. Stealing an identity is, unfortunately, surprisingly easy to do and happens when you least expect it.
The Symptoms of identity theft are:
- You see unauthorized charges on your credit card or bank accounts.
- You are contacted by a collection agency regarding a debt you did not incur.
- You receive bills from a credit account you did not open.
- You are turned down for a job.
- Bank and credit billing statements don't arrive on time.
- You are turned down for a auto/student loan, mortgage, credit card,or other form of credit due to unauthorized debts on your credit report.
- Your credit report shows accounts you did not authorize.
To protect yourself from Identity Theft, you should:
- Review your credit card statements and bank statements for discrepancies.
- Order and review your credit report from the credit reporting bureaus at least once a year.
- Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.
- Review your receipts and credit card statements--watch for unauthorized transactions.
- Shred all receipts, credit card statements, bank statements, pre-approved credit card offers, and any paper that has your personal information.
- Never leave or throw away credit card receipts in public.
- Do not respond to pre-approved credit card, auto loan or mortgage offers from unknown sources.
- Try not to keep too many credit cards if you don't use them regularly
- It is more difficult to monitor your accounts if you have numerous credit card accounts that you are not using.
- Never give personal information over the phone such as social security number or financial information unless you initiated the phone call.
- Do not carry your SSN card with you; leave it in a secure place.
- Protect and store personal information at home
- Make sure that you store your person data and files in a safe place that is inaccessible to visitors.
- Install a locking mailbox at your residence. Identity thieves often obtain the information they need by intercepting mail in unlocked street mailboxes. Collect mail promptly. Ask the post office to put your mail on hold when you are away from home.
- Don't respond to unsolicited requests for personal information (your name, birthdate, social security number, or bank account number) by phone, mail, or online.
- Watch out for "shoulder surfers." Shield the keypad when typing your passwords on computers and at ATMs.
- When participating in an online auction, try to pay the seller directly with a credit card so you can dispute the charges if the merchandise does not arrive or was misrepresented. If possible, avoid paying by check or money order.
- Keep your eye on your information!
- Be alert when you see information that doesn't make sense--investigate any charge, statement, discrepancy, suspicious information
- Don't carry your Social Security card or other information containing your SSN with you.
- Don't give businesses your SSN just because they ask for it. Give it only when required.
- Take a look at your Social Security earnings statement each year. If that number is off, you need to investigate.
- Two of the most common ways to steal sensitive data are dumpster diving and mail theft. Investing in a crosscut shredder and a lockable mailbox will help eliminate those risks.
What to do if you're a victim of identity theft:
- It is important to take action right away to minimize future damage.
- File a police report and send a copy to your creditors. This report helps document
- When filing a police report, visit the police station nearest to where the crime took place. The LCC Public Safety office at 517-483-1800 can assist.
- Report the theft to the Federal Trade Commission at https://www.identitytheft.gov/). Victims will also want to file a complaint with the Internet Crime Complaint Center (IC3), as most unemployment claims are submitted online (at gov/complaint/). Report it to the Michigan Attorney General's Office at www.mi.gov/ag (online complaint form).
- Call creditors to let them know the accounts may have been opened fraudulently. If your existing accounts have been accessed, get new cards and account numbers.
- Request a free credit report from each of the three credit reporting agencies on an annual basis at this Federal Trade Commission (FTC) approved website: annualcreditreport.com. You can request a free credit report every four months by only choosing one of the three credit reporting agencies' report rather than all three at the same time.
- Request that a "fraud alert" be placed on your credit account and that creditors get permission from you before opening any new accounts.
- Next, freeze your credit file with the major bureaus. A free credit freeze lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. Then, when you want to apply for credit after triggering a freeze, ask the lender or credit card issuer which credit-reporting agency it uses and then unfreeze only that agency's credit report. Refreeze it once your application is approved.
- Request an IP PIN from the government.The IRS Identity Protection PIN (IP PIN) is a unique six digit number that is assigned annually to victims of identity theft for use when filing their federal tax return that shows that a particular taxpayer is the rightful filer of the return. Check for eligibility at: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin
- Keep copies of all the information you collect for future reference. Further information on how to keep your personal info secure can be found at: https://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
How to secure your home network wireless router
- Change the default administrator login and password
- Give your network name something unique so you can easily identify it, but make sure it does not contain any personal information
- Ensure that only people you know and trust can connect to and use your wireless network, and that those connections are encrypted (WPA2)—thus requiring a password to connect
- Turn the network off when not in use-- consider this approach during travel or extended offline periods
- Disable remote management
- Even inside the LAN, it's good to restrict which IP (Internet Protocol) addresses can manage the router
- Disable unnecessary services
- The fewer services your router has exposed to the internet, the better. This is especially true if you haven't enabled those services yourself and don't know what they do. Services like Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell), and HNAP (Home Network Administration Protocol)
- Update the router's firmware
How to avoid spam
Spam has increasingly become a problem on the internet. While every internet user receives some spam, email addresses posted to websites or in newsgroups and chat rooms attract the most spam. Follow the recommendations below to reduce the amount of spam you receive.
Filter your email
99%+ of spam is automated SPAM (for example Viagra Ads) sent from spoofed/compromised accounts and the remaining spam is often chain emails, activist emails, etc. LCC has IT systems that monitor our incoming email into the network. Using artificial intelligence, the systems dynamically categorize emails as SPAM based on the senders, reputation, content, recipients, and various header information, currently stopping over 10 million threat messages per month. Years ago, we were able to maintain a block list of SPAM senders but over time, it has become impossible to maintain such a large list manually. Fraudsters are able to rapidly change the sender, content, and other information to bypass our email SPAM filter and deliver a small number of messages until our filters can compensate for the changes. Although it's impossible to eliminate all SPAM, technology has made it more effective to eliminate a majority of SPAM and the burden for individual users to report SPAM has become unnecessary.
Some spam messages you receive are quarantined in Outlook's junk email folder in your account. After five days, the spam service deletes these messages automatically.
Your desktop email client or web-based email client has the ability to filter email, such as block listing, which prohibits mail sent from email addresses that you list. You can right click on an email, select Junk, and Block sender.
Don't reply to spam
If you reply to spam or unsubscribe, the spammer or the automated program on the other end will know that your address is connected to a live person, and the spammer will then bombard you with even more spam, and circulate your address to other spammers. It is critical that you pause and think before replying to any spam. Consider the following guidelines:
- Setting up your email account to generate automatic responses while you are away can have the unfortunate side effect of verifying your email address to every spammer that sends you spam. To avoid this, set up your automatic replies for inside your organization only.
- If the message appears to come from a legitimate company, the company may have obtained your email address from some transaction between you and the company. In fact, you may have inadvertently provided your email address (for example, if you didn't check a box marked Don't send me product updates). In these cases, it is usually safe to reply and ask to be removed from the mailing list.
- If it is not a company you recognize, use your judgment. To be safe, copy and paste the link to the company's site into the browser rather than clicking it in the email message.
- If the spam is clearly from a disreputable source, never Do not follow the (probably bogus) unsubscribe directions. In most cases, if you never reply, the network of spammers will eventually decide your email address is a dud, and will stop using it as often.
Be careful releasing your email address, and know how it will be used
Every time you communicate on the internet or browse a website, there are opportunities for spammers to intercept your communications to obtain your email address and other personal information.
Otherwise reputable companies may sell or exchange your email address with other companies, and this information may eventually find its way to a spammer. At worst, spammers will use automated programs to bombard these lists of email addresses with spam. Consider the following guidelines:
- Subscribe only to essential discussion lists, and ensure that they are moderated.
- If you need to list email addresses on your website, present the addresses in a way that makes them less vulnerable to collection and abuse by spammers.
- Every time you are asked for your email address verbally or on paper, think carefully about whether or not you want to receive any information from that company or organization. It is usually best to decline to provide your email address.
- Whenever possible, advocate that organizations you are involved in or do business with default to the opt-in model. This requires you to specifically request to be added to their email lists, rather than the opt-out model, where they add you to email lists automatically, and then give you the option of asking to be removed.
Use a secondary email account
If you need to provide an email address for a web account, please use a personal email address. You can obtain a free personal email address from many providers like gmail or outlook.com. If the website listing your contact information is for LCC business, you could get a departmental/organizational account and list that address rather than your personal address.
You should also consider opening a free account for performing potentially spam-inducing activities such as posting to newsgroups, bulletin boards, or unmoderated mailing lists, spending time in chat rooms, or using an online service that displays your address.
You should also consider using a disposable email address service. These services allow you to create a new disposable email address discreetly linked to your real address whenever you need to supply one. If spam starts coming to one of the disposable addresses, you can simply turn the address off. Because you can give out a different disposable address on every occasion, you can easily determine who supplied your address to spammers.
Adjusting the security settings in your web browser is a good preventive measure. For a higher level of security, have your browser disallow:
- Accepting cookies
- Listing your name and other personal information in your browser profile
- Filling in form fields for you
This will help reduce the amount of personal information transmitted to sites at the expense of full functionality, since many legitimate websites require you to accept cookies.
Do not contribute to the spam problem by producing any of it yourself! In particular, learn about chain mail and do not forward chain mail to others. Also, if you receive an email message that appears to warn of some horrible thing happening (such as a virus that reportedly deletes all your files) or is a touching sob story (about helping to save a poor sick girl or boy, for example), be suspicious.
Nearly every instance of chain mail is a hoax. The message may even come from someone you know and respect who is simply not aware that it's a hoax. Google is a great site to verify hoaxes, and do not forward them to others.
How to prepare, conduct and return from foreign travel
For members of the campus community, a trip to a foreign country presents unique data security challenges. Beyond the physical loss of your device, staying digitally connected often means that you will connect your devices to public networks in hotels, airports, train stations, and conference halls, which employ minimal security measures. These public networks often harbor malware from cybercriminals looking to steal your data for identity fraud, as well as nation state actors targeting academic travelers for intellectual property.
Proactive risk management dictates that LCC block traffic from hostile geographic locations that have demonstrated a high frequency of known attacks. If you travel outside the United States and want to access LCC resources (myLCC portal, virtual private networks (VPN), etc), please contact the LCC Help Desk with your travel location and dates so that we may ensure your access.
Mobile devices, including laptops and smartphones, are the ones that are very often the target of thieves not only because they want to resell the device but also because they know the data on those devices can be far more valuable.
Here are some tips to ensure safe foreign travels:
BEFORE YOU GO
- Notify the Help Desk and Information Security if you are traveling abroad with your dates and planned locations so that we can ensure you have access to LCC resources.
- If traveling with LCC data and/or IT resources, check for requirements and current travel restrictions that could endanger those assets.
- If possible, do not take your work or personal devices with you, particularly if travelling
to non-democratic countries. If you must take your computer, remove any sensitive
or confidential data from your laptop. Materials related to the travel arrangements,
presentations, supporting materials, educational information, and any other public
domain documents can reside temporarily on the laptop.
- Another possibility is to use a temporary device (such as a temp laptop, contact the Help Desk for availability) and/or a prepaid "throw away" cell phone purchased specifically for travel. You could also create a "throw away" email account for use only on the trip. Delete the account when you return.
- Be sure to password or passcode protect (passcode refers to mobile phones) the device.
- If you must take your electronic devices with you, secure yourself with the following
- Only include information on the device that you will need for your travel
- Encrypt your hard drive to protect your data. You can check to see if your PC computer has full disk encryption by searching for ‘Manage Bitlocker,' and on a Mac, check that FileVault is enabled. However, use of encryption may be forbidden in some countries (such as China and the Russian Federation), so please research the software import laws of your destination country.
- Make a full backup of your device and keep it in a secure location.
- Be sure that any device with an operating system and software is fully patched and up-to-date, along with up-to-date security software.
- Make copies of your passport, airline tickets, driver's license, credit cards and any other document you take with you. Leave one copy at home.
- Obtain the phone number and address of US Embassy and Consulate for country(s) you plan to visit.
- You might also want to read this New York Times article about some things to consider when planning out your trip abroad.
WHILE YOU'RE THERE
- Do NOT leave your device unattended. If you ever leave your computer, make sure it is stored securely and turn it off instead of just hibernating it or putting it to sleep. Never leave mobile devices in a car. If you must, a locked trunk is the best location.
- Do NOT plug in untrusted accessories. Untrusted accessories, those that came from questionable sources, can be infected with malware intended to steal your data.
- Connect only to known WiFi networks.
- Turn off your WiFi and bluetooth when not in use. Attackers can easily spoof network names to connect to devices within range for eavesdropping.
- Do not purchase any new hardware/software while traveling. And do not have any of your electronic devices "repaired" or "worked-on" while abroad.
- Use VPN software to establish a secure network connection. Not only does the VPN software provide access to LCC services and network drives, it also creates a secure connection to LCC that will prevent network eavesdroppers.
- Practice safe web browsing. For example, do not open unsolicited attachments or follow unsolicited links in email messages, use caution when downloading files, and browse wisely—avoid suspicious websites. And do not enter your LCC credentials into public computers.
- Don't have an expectation of privacy. Many countries do not have the same privacy protections for electronic communications as the United States. Be mindful that any cell phone conversation, email, and internet browsing may be intercepted by local private, corporate, or governmental entities and adjust your actions accordingly. Access to some web sites, including secure ("https") web sites, and use of VPNs may also be blocked by some countries, because it is more difficult for national authorities to monitor that encrypted traffic. Attempts to circumvent national censorship (e.g., with Tor, Ultrasurf or similar products) may be blocked and there may be legal ramifications if noticed.
- Look out for border crossings. Devices taken across foreign borders may be subject to involuntary official governmental review and even complete duplication (e.g., in some countries, customs officers may temporarily seize your device). Customs agents may ask for your passwords/pin numbers. You do not have to surrender them but they may confiscate your device or potentially keep a copy of one's entire system on entry or exit.
- Minimize the data contained on the device. This is particularly true of logins and passwords, your personal information, and any sensitive data.
- Never use shared computers in public areas, hotel business centers, or cyber cafes, and never use devices belonging to other travelers, colleagues, or friends.
- Keep your passport, other travel documents, credit cards, etc., as well as your electronic devices, with you at all times during your travel. Do not assume they will be safe in your hotel room or in a hotel safe.
- Do not draw attention to yourself -- Do not invite strangers into your room -- Do not leave drinks unattended -- Do not carry large amounts of cash. Use only authorized taxis.
- Be aware of new acquaintances who probe for information, and avoid long waits in lobbies and terminals. Be aware of your surroundings at all times.
WHEN YOU RETURN
- If you used a temporary device, immediately discontinue use. LCC ITS will reformat the hard drive of any LCC device you used, and reinstall the operating system and other related software, or dispose of the device properly.
- Delete the "throw away" email account, if you created one for the trip.
- Report any unusual circumstances to the LCC Help Desk and Information Security.
- Change your password. You must change your password for all services that you have accessed while abroad. This should be done for your LCC account as well as any personal email, social, or financial sites that you accessed while traveling. By limiting the sites that you visit abroad, you reduce the number of passwords you need to change.
How to digitally sign a document
The Electronic Signatures and Records Act's (ESRA) definition of an electronic signature is "an electronic sound, symbol or process that is attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." An electronic signature on a word document, or pdf, etc. is the same as a physical signature. So if the person intended to sign the MS Word doc and entered their electronic signature, then it's permitted and legally binding. Directions for adding a MS Word signature.
How to lock your workstation when you are away
- Always lock your PC (Windows Key and L) or Mac when you are away from your workstation per the LCC Acceptable Use Policy
- Always shut down your computer at the end of the day
- Shutting down at the end of the day is better than locking a computer because a locked computer might have open, active connections to both internal and external servers, safe or otherwise (e.g. infected web site)
- If the workstation is locked, any files you may have opened will be locked, possibly negatively affecting the backup process or use of the file by others.
- Some applications allow incoming connections, so closing them down would be more secure.
- Shutting down a computer is more energy efficient.
How to shop safely online
Today's world is one of searching for the most convenient way of conducting business. E-commerce is quick, convenient and becoming more and more popular. The Internet can make your shopping faster and easier, but there can also be pitfalls if you're not careful. The National Consumers League, the Better Business Bureau and the National Cyber Security Alliance offer key advice to ensure you have a safe online shopping experience, so that your gift-giving is a joyous occasion, not an opportunity for cyber thieves:
- Know who you're dealing with. Check out unfamiliar sellers with the Better Business Bureau and your state or local consumer protection agency. If you're buying gifts on an online auction site that provides a feedback forum, check the track record of the seller before you bid. Don't buy things in response to unsolicited emails from unknown companies, since these may be fraudulent.
- Look for signs that online purchases are secure. At the point that you are providing your payment information, the beginning of the Web site address should change from http to HTTP or HTTPS, indicating that the information is being encrypted – turned into code that can only be read by the seller. Your browser may also signal that the information is secure with a symbol, such as a broken key that becomes whole or a padlock that closes.
- Pay the safest way. It's best to use a credit card, especially when you're purchasing something that will be delivered later, because under federal law you can dispute the charges if you don't get what you were promised. You also have dispute rights if there are unauthorized charges on your credit card, and many card issues have "zero liability" policies under which you pay nothing if someone steals your credit card number and uses it.
- Never enter your personal information in a pop-up screen. When you visit a company's Web site, an unauthorized pop-up screen created by an identity thief could appear, with blanks for you to provide your personal information. Legitimate companies don't ask for personal information via pop-up screens. Install pop-up blocking software to avoid this type of scam.
- Keep documentation of your order. When you've completed the online order process, there may be a final confirmation page and/or you might receive confirmation by email. Print that information and keep it handy in case you need it later.
- Know your rights. Federal law requires orders made by mail, phone or online to be shipped by the date promised or, if no delivery time was stated, within 30 days. If the goods aren't shipped on time, you can cancel and demand a refund. There is no general three-day cancellation right, but you do have the right to reject merchandise if it's defective or was misrepresented. Otherwise, it's the company's policies that determine if you can cancel the purchase and whether you can get a refund or credit.
- Be suspicious if someone contacts you unexpectedly and asks for your personal information. Identity thieves send out bogus emails about problems with consumers' accounts to lure them into providing their personal information. Legitimate companies don't operate that way.
- Check your credit card and bank statements carefully. Notify the bank immediately if there are unauthorized charges or debits, if you were charged more than you should have been, or if there are any other problems.
- Keep your computer secure for safe shopping and other online activities. Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. Go to www.staysafeonline.org and www.onguardonline.gov to learn more about how to keep your computer secure.
- Beware of emails offering loans or credit, even if you have credit problems. Con artists take advantage of cash-strapped consumers during the holidays to offer personal loans or credit cards for a fee up front. These scammers simply take the money and run.
- Contact the seller promptly about any problems with your order. Check the company's Web site for a customer service page, "contact us" link, email address, or phone number to get your complaint addressed or questions answered. If you can't resolve the problem, contact the Better Business Bureau or your state or local consumer protection agency for help.
How to secure use your device
Here are tips to secure use your device:
- Set a passcode on a smartphone or password on a computer
- Turn on Encryption.
- Keep your system and applications up to date
- Download Apps from trusted sources only.Pay attention to permissions and rights that the app requests.
- Install antivirus.
- Enable Find my Devices on smartphones.
- Use the VPN.
- Back up your device.
How to see if a website address or an email attachment/file is safe
How to expand a shortened website address
Websites can be shortened, typically to hide the true address or because of Twitter character restrictions. Popular services are: bitly, owly, t.co, and goo.gl. The website address will look like: http://goo.gl/l6MS. You can enter the website address at https://checkshorturl.com to expand the website address and see the entire address.