Hello, everyone.

I am dedicating this week’s newsletter to a very current and serious threat that has affected several users across the UT System. This scam has affected banking information for these users. I want to explain how this could happen and give you tips on how to prevent it from happening to you.

Current Threat

• Direct Deposit Changes
  • I am hearing from various people across the UT System that users have noticed their direct deposit information has recently been changed without their knowledge or approval.
  • In order to make a change such as this, you would have to log in with your NetID and password, then approve a Duo alert on your smartphone to be granted the necessary access to make that change.
  • Duo impersonation is a method hackers have used to be able to gain access to your direct deposit information.
  • What is happening is very alarming because of how multifactor authentication is supposed to prevent this kind of activity.
  • Each of these accounts have been compromised in some way, but not always in the exact same way.
  • There are different ways a hacker can get into a user’s account.
    • The hacker may create a fake login page that will look like almost identical to the real thing, so once you log in the hacker will have your password. (Think of all the emails we get saying that we need to change our password immediately or that we need to verify our Microsoft 365 account by clicking on the link.)
    • Once the hacker knows your password, they can use your credentials to add their smartphone to your Duo account, moving their device to the top of the list of activated devices so it will get the push notifications.
    • A hacker may also send a Duo push in order to get the user to accept the push and the hacker will gain access.
    • And there may be certain instances where you may receive a phone call from someone claiming to be Duo and saying that your device is no longer configured for a push.
  • To make sure your direct deposit information has not changed, log into DASH and check your information under “Pay” and I highly recommend you do this regularly before payday.
  • Follow the tips below for making sure you aren’t unexpectedly sharing information with hackers that could allow this kind of change.

Important Security Tips

• Tips for Making Sure Duo is Secure
  • Duo, or any multifactor authentication product, is meant to provide an extra layer of security but you have to be sure you are doing your part to make it secure.
  • First, make sure you know the device(s) you have approved for receiving Duo alerts is correct.
    • Go to tiny.utk.edu/manage2fa to see if there are old devices or devices you have never heard of on the list.
    • If you no longer use a device on the list, you can remove it.
    • If there are devices on the list that you did not add, please let me know right away.
    • If you get a new device you can follow the instructions on OIT’s website for Managing Duo Devices.
  • Pay extremely close attention to the Duo push alerts and never approve any alert you did not initiate.
  • I know the alerts can become mundane and we tend to click to approve without even thinking of what it may be, but don’t approve it unless you were logging into something that requires it.
  • I highly recommend that you choose the option for “No, other people use this device” so that Duo does not remember your device for future logins.
    • While this may be a hassle to authenticate for each login to the same CAS-related site, keep in mind that MFA is designed to add that extra layer of security for EACH login.
    • If your account were to be compromised, this means the hackers can get into the sites you have directed to remember you.
    • A few seconds to approve a Duo push is a whole lot better than the amount of time it could take to get your direct deposit straightened out and your pay recovered.

• Tips on Emails
  • Emails are getting harder and harder to verify these days, especially when the email contains a link, an attachment, or some directive to take action.
  • The first thing you need to do is consider the following things.
    • Do you know the sender?
    • If the sender looks to be from UT, is the sender’s address their known work address or does it have a non-UT domain in the address?
    • Are you expecting such an email?
    • Is the email using a sense of urgency to try to make you do something immediately?
    • Does the email tell you to only reply to the email and not call?
    • Does the email include identifiers you would expect to see (i.e., logos, signatures, etc.)?
    • Does the email contain really poor grammar, spelling, punctation, formatting, etc.?
    • Does the content make any sense to have come from the supposed sender?
  • If there is anything that leaves you with even the slightest doubt or concern, please do NOT take action based on what the email says to do.
  • Instead, if you know the supposed sender, call their known phone number to verify they sent it; do not reply to the email and do not rely on any phone number in that email.
  • Do not click on any links if you are not 100% certain.
  • Remember that neither UT nor the HelpDesk will ever send you an email telling you that your email account or your Microsoft 365 account is going to be deactivated immediately if you don’t verify by clicking on the link in the email.
  • Even if you are certain of the link, it is always best to right-click the link, then choose Copy Hyperlink, then paste the link in the browser’s address bar. (Copying and pasting can prevent the installation of malware caused by clicking the link.)
  • Do not open attachments that you are not 100% certain are legitimate.
  • You can always forward the email to me and I will help determine if it is legitimate or not.
  • If you know the email is a phishing scam, please click the red “Report” button in your Outlook ribbon and choose “Report Phishing.”
  • If you still don’t have the Report button, please forward the email to abuse@utk.edu until the Report button is made available in your Outlook version.
    
    
• Running a Full Scan using Windows Defender
  • If you ever click on something you shouldn’t have or you think you may have malware or a virus, then run a full scan using Windows Defender.
    • Go to the bottom left corner of the system tray (along the bottom of the screen), then click the “^” so you can click on the Windows Security shield.
    • A screen will appear that shows “Security at a glance” and you will see “Virus & threat protection,” so click on that.
    • The screen will now show you the last time a scan was run, as well as the date, time, and type of scan.
    • Click on “Scan options” here.
    • When the screen shows your options, click the button beside of “Full scan” and then click the “Scan now” button.
    • This scan will take longer than the Quick scan but it will scan every file on the hard drive instead of a limited selection.
    • You can continue to work during the scan.
    • Once the scan is finished, it will tell you if there was anything found, cleaned, quarantined, or otherwise.
    • If the scan finds threats, please let me know right away if Defender did not clean or contain them.
  • And please know that if you need my help because you accidentally clicked on something, I am just a phone call away and I don’t judge!

Thank you so much for all you do to help keep the Institute’s data safe, as well as your own. And please let me know whenever you have any questions or concerns.

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone else has an email group for students who are not employees of your department, please let me know that address and I can include it. I do this as a blind copy so student names and addresses will not show up!