Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Computing and Information Services

Stay Safe Online

Cyber Safety – shopping safely online

Cyber Safety – shopping safely online

Views: 74

Stay safe while shopping online this holiday season

As part of our ongoing commitment to cyber safety, we have launched a campaign to help our staff and students stay safe while shopping online this holiday season.

Take a look at our video to find out the tricks and techniques cyber criminals are using to con people out of their money, data and online purchases.

Make sure you don't fall victim, and be vigilant while shopping online.

If you'd like to find out more about staying safe online, the latest threats and how you can protect yourself and your devices, take a look the information below.

Logo


What is Social Engineering?

Social engineering involves the use of deception, often to obtain confidential or personal information for fraudulent purposes. Targeted attempts are usually trying to trick individuals into giving away passwords or financial information, or to get remote access to their computer to harvest information without their consent. Alongside Phishing, the most common social engineering attacks are:

  • Spoofing – A technique used to disguise communication from an unknown source as coming from a genuine source. It is often used in email and call (caller ID spoofing) scams where fraudsters disguise their identity using the name of a genuine person, usually a senior member of a known organisation; this is used to create legitimacy and trust with the user to encourage them to take action.
  • Sextortion – Is a social engineering technique which is used to scam potential victims. It involves fraudsters using the threat of releasing embarrassing imagery or videos of the user, often claimed to have been obtained from the user’s webcam. This type of attack is generally initiated via email: the fraudster uses a password obtained from a previous data breach to catch the user's attention and convince them the threat is real (the password used is often a very old password, used by the fraudsters to create legitimacy and entice the user to act). They then claim malware was installed on the user's computer and threatens to be used to send the explicit images and/or videos to all the user's contacts unless a ransom is paid.
  • Pretexting - involves a fraudster using a lie (or pretext) to establish trust with a user in order to obtain sensitive personal information from them, such as date of birth, financial information, or other information that can be used to follow their malicious agenda (sensitive commercial information, etc.).
  • Quid pro quo - this technique, by its literal meaning “something for something”, involves an exchange of which the user is led to believe it’s fair. It’s often used in phishing attempts where, for example, the user is enticed to open a link to confirm their details with the promise of a financial reward; ultimately, they end up with no reward and their details stolen.
  • Vishing – or “voice phishing”, relates to a fraudster using voice mail, landline, or cellular phone calling to trick a user into handing over valuable information. Caller ID spoofing is often used in these types of attempts.
  • Smishing – short for “SMS Phishing”, is a form of social engineering where fraudsters use text messages to trick users into disclosing valuable information. These often include malicious links or ask users to reply back to the message with the requested (valuable) information.

Phishing

Logo

What is Phishing?

Phishing is the most common social engineering technique where a fraudster sends an email or text to the user seeking information that might help them commit fraudulent activity (identity theft, bank fraud). It often involves the use of a “bait” to entice the user to act and respond, such as clicking a malicious website or convincing them to divulge confidential information (e.g. banking details or passwords).

How to spot the signs of Phishing?

Too Good To Be True - Rewarding offers and eye-catching or attention-grabbing statements are designed to attract attention. Often the lure is the promise of substantial financial benefits.
Action: Be suspicious and seek to validate the legitimacy of the claim

Sense of Urgency - Users are often enticed to act fast so they don’t lose out on the exclusive, limited time, offers, to get the target to act immediately, so there is less to time available to question whether it is a valid request.
Action: Take time to consider the request.

Hyperlinks - Fraudsters disguise malicious web links under what might appear to be a genuine one that will be accessed if it is clicked. This can be a completely different one than what is presented to the user, or it could appear as a popular website with a misspelling used to trick the user into believing it’s genuine and clicking it.
Action: Hovering over it will reveal the real link, look for unknown, unexpected or misspelled links.

Attachments - These often disguise malicious payloads (malware or viruses) or malicious links.
Action: Question whether the attachment seems genuine and is expected, if it doesn’t make sense, don’t open it!

Unusual or Unexpected Sender - If it's from someone you don't know or someone you do know but seems out of the ordinary.
Action: Don’t click links or attachment. Seek to verify the legitimacy of the request before taking action.

Junk Email - if the email arrives in your junk folder, be highly suspicious of it. It is often a strong indication that there may be something wrong with the email.

How to report Phishing?

As these types of emails can be disrupting and sometimes unpleasant, we have set up countermeasures to help you report these attempts. Depending on how you view you email, you can report these using the 'Report Message' button from the Microsoft Outlook desktop client (top right corner of the email window). If you are using the web email version, click the “More actions” button in the top right corner of the email window; you can find the “Report Message” second last on the list of options.

Alternatively, you can forward the email to phishing@durham.ac.uk. If you have any questions, please contact the IT Service Desk.  

Logo


Whether you are working from your home PC or your Durham University device, here are a few tips to consider when working remotely:

General tips:

  • Lock your PC whenever you’re stepping away from it.

  • Restart your PC at least once a day. This will ensure all the unimportant, temporary data is removed and your computer is refreshed.

  • Ensure you are set up to work in a quiet area of your house.

  • Avoid using free software and instead use the approved suite of applications available on AppsAnywhere to process University data.

  • Use the official Microsoft Outlook mobile app from the Google Play / Apple store or the web view in your mobile browser (https://outlook.office.com) to access your Durham University email on your personal or work smartphone. Avoid using any other types of email apps as the security arrangements, backup and locations where the data are processed in may not be suitable for University information.

  • Avoid downloading or viewing University related attachments (e.g. confidential documents) on your personal smartphone; viewing often involves auto downloading the attachment before it is opened.

  • Be vigilant and avoid opening unsolicited emails on your smartphone. Due to high usage of smartphones, fraudsters use phishing campaigns tailored for mobile devices as one of their primary means of tricking people into clicking malicious links or download malicious attachments.

If you are working from your Durham University PC:

  • Treat working remotely as if you were working from the office. Avoid discussing work-related matters with anyone other than your colleagues that are relevant to the work/project you are involved in.

  • Avoid writing your work PC password on sticker notes / notebooks. Reset it if you can’t remember it.

  • If working from a laptop, store it in a safe place once you have finished working on it for the day.

If you are working from your home PC:

  • Avoid downloading copies of confidential documents to your personal PC from your Durham University OneDrive.

  • Personal drives (e.g. OneDrive, Google Drive, etc.) should not be used to process or store Durham University confidential material. Such services are often hosted outside the European Economic Area (EEA) and are therefore in breach of data protection law (if personal data is stored there) which may expose the University to legal scrutiny.

  • If you share the same PC with someone else (and/or use the same password), you should avoid leaving the computer unlocked and terminate any University sessions when leaving it or when it isn’t in use. You should also avoid options such as “remember my password” or “stay logged in” on that PC – although convenient when resuming work, this presents a potential risk where confidential data can be exposed.

  • Ensure your PC has an up-to-date anti-malware software installed and active, and ensure it has automatic updates enabled to ensure it stays up to date with the latest improvements and security patches.

  • Apply the latest security patches that are made available for your PC’s operating system (e.g. Windows, Mac OS X, etc.).

Logo


What is Email?

Email is the most common used form of online communication today. Whether at work, or requesting support for a purchase made recently, chances are most of these activities are done via email. While it is mostly used for legitimate communication purposes, fraudsters use email to deliver malware or steal information, through scam or spam emails or impersonating individuals in positions of power.

How safe is email?

Because email can be intercepted as it travels from the sender to the recipient, it shouldn't be treated a safe medium to communicate. It is therefore important to consider the following when communicating via email:

  • Avoid emailing confidential information (e.g. card details, passwords, etc.) in clear text. Encrypt it before sending (e.g. using 7-Zip) and ensure the recipient can process the encrypted information.

  • Use alternative sharing options for confidential information, as much as possible (e.g. Microsoft OneDrive, included with your university email).

  • Always check the email address of the individual(s) you are contacting to avoid sending information to the wrong recipient(s).

  • Login to your email using a trusted email client (e.g. Microsoft Outlook) or equivalent web interface (e.g. https://portal.office.com).

  • If using forwarding rules, ensure the same level of security is applied to the email address the information will be forwarded to.

  • Avoid opening any attachments or clicking any links from unsolicited emails. Also avoid responding to them.

Logo


What is Malware?

Short for “Malicious Software”, it is a catch-all term for any malicious software, such as viruses or ransomware. These are specifically designed for various purposes: from damaging programs or deleting files (viruses), to encrypting all hard drive contents and demanding a ransom before these can be accessed again (ransomware). Other common types of malware include spyware, adware, worms, Trojan horses, bots, bugs or rootkits.

How does it work?

Some malware, such as spyware, are used to track your online activity (e.g. browsing history); other tracking activities include keylogging, used to detect and intercept the characters you type on your device’s keyboard with the aim to steal your information, such as login credentials (username and passwords) or financial information (debit or credit card numbers, CVV codes, etc.). Other malware, for example scareware, poses as genuine software downloads or will ask you to install an urgent-sounding update to keep your computer up-to-date or to protect it against a known threat (e.g. a virus).

To protect against malware:

  • Ensure your computer has a firewall enabled and reputable anti-virus software installed.

  • Keep your software up to date. This helps protect your device against known bugs and vulnerabilities.

  • Back up your information regularly. This will help you recover your information quickly, in case of your device being compromised by malware.

  • Be careful when downloading software. Make sure it comes from a reputable source. Be suspicious when receiving emails with attachments, or when a website offers you to download a file unexpectedly (such as updates to a known program).

  • Apply the same level of caution online as you do offline. Online actions can have offline consequences, and vice versa.

  • On mobile devices, be suspicious of applications asking for too many permissions other than what they are intended for (should a keyboard application have permissions to access your location?).

  • Ensure your devices are encrypted.

How to spot Malware?

  • You’re being offered or told to download something from a website that you haven’t visited before and doesn’t look legitimate, or from a stranger who’s sent you an email.

  • Your internet connection or the computer’s general performance suddenly becomes very slow, you can’t access files or programs, or you’re unable to log in at all.

  • There are signs other people have accessed password-protected accounts, or your bank statement shows purchases or withdrawals you can’t remember making.

Logo


What is Password?

Making sure your personal information remains protected at all times while browsing or communicating online can be challenging in today’s connected world. Passwords help protect the security of your accounts, including those accounts which allow you access to the University’s IT facilities. They ensure that only you, the authorised user, can access them. However, they are limited in preventing fraudsters from gaining unauthorised access as they can find them in various ways, such as:

  • Tricking users using social engineering (e.g. phishing emails).

  • Previous data breaches. Fraudsters use leaked passwords on multiple platforms where users might have used the same password.

  • Watching someone type in their password (also known as “shoulder surfing”).

  • Guessing. Fraudsters use known information (name, date of birth, information found on social media platforms, etc.) and combine it to form passwords.

  • Keyloggers. Computer programs designed to intercept passwords when they are typed by the user.

  • Finding passwords on documents stored on the device (if found unlocked), or sticky notes left in plain sight attached close to the device.

  • Brute-force attacks. Widely automated and used to guess large numbers of passwords until the correct one is found.

It is important to understand the risks associated with using a weak password. The weaker the password, the easier it is for fraudsters to gain unauthorised access to your accounts. It is therefore important to understand what to avoid and what to consider when creating a password.

What to avoid when creating a password?

  • Words which can be found in a dictionary (English or foreign), or such words written backwards.

  • Names of family members, pets, friends, co-workers, favourite movie characters, birthdays and other personal information such as addresses and phone numbers.

  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

  • Any of the above, either precluded or followed by a digit or easy to guess sequence of digits (e.g. secret1, secret123, 1secret).

What to consider when creating a password?

  • Use a minimum of 8 characters for each, with a combination of upper case, lower case, numeric, and special characters. To help with this, use a password randomiser; there are a number available online. A password example would look like this: B3b7?y7jXQ!

  • Use three random words that are not related with each other, in combination with a few special characters. This will make it easier to remember, and more difficult to guess by fraudsters. An example would look like this: performance.landscape.mile!

Other tips to consider:

  • Be suspicious of unexpected emails (see “Phishing” under the “Social Engineering” section for further guidance).

  • Lock your computer or smartphone every time you’re stepping away from it.

  • Don’t share your passwords with anyone.

  • Avoid using the same password with multiple accounts (on the same or across websites). This minimises the risk of unauthorised access should one of your passwords be compromised.

  • Use a password manager if it becomes difficult to manage your passwords.

  • Enable Multi-Factor Authentication where available. This adds an additional layer of protection to your account. Begin by enabling this on your email and accounts that store personal and financial information.