It’s Friday, everyone!

Today I want to let you know about a series of current threats using QR codes, as well as some additional information about DocuSign. I also need to talk about compromised websites.

Current Threats

• QR Codes (phishing)
  • We are getting several phishing attempts in our emails that contain QR codes.
  • A QR (or Quick Response) code is a two-dimensional square barcode that you scan using a smartphone and typically contains information within the code such as a URL for a website.
  • One email looks like Microsoft is telling you that your password is expiring.
    • Remember that our passwords are tied to our NetIDs!
  • Another email looks like Microsoft is telling you that your Microsoft 2FA Security Authenticator access is expiring.
    • We don’t use Microsoft 2FA Security Authenticator.
  • Yet another email is about compensation adjustment, salary increase, and insurance revision.
    • This would information would not come from one email source.
  • These emails all have three things in common.
    • The senders’ email addresses don’t match up with who is supposedly sending them.
    • They include QR codes.
    • They are scams.
  • QR codes have become quite popular, but they are a bigger risk than ever.
  • The problem with a QR code is that it can reroute you to a fraudulent website that gathers your information or it can include malware that will be installed when you scan the code.  
  • In fact, the FBI has issued warnings about tampered QR codes, as they are such a growing concern.
  • If you receive an unexpected email that contains a QR code, please do not scan the QR code.
  • If someone sends a real QR code, the email should contain the actual website, as well.
  • If there is no website, it’s likely a malicious code and if there is a website, please take a little extra time to type it in.
  • If you receive an unexpected/unrequested email with a QR code, please forward to OIT Abuse using these instructions for Reporting Phishing Attempts.
  • And in addition to fraudulent QR codes being in your email, they can be found on valid websites, but the code may be a fraudulent overlay that can redirect users to the hacker’s malicious site.
  • Also, please be cautious of QR codes used for things like parking meter payment,  announcements on businesses’ doors or easels, utility or government flyers, items sent via USPS mail, etc.
  • I don’t recommend using QR codes, but if you do decide to scan any QR code, carefully check the web address to ensure it is the intended site and there are no typos or misspellings (even one letter off!).

• DocuSign (phishing)
  • Last week I reminded everyone about fake DocuSign scams.
  • You can find that information at This Week’s Cybersecurity News, 09/28/2023.
  • We are still seeing this and it is often hard to tell if the email is real because the sender’s fake address is often so closely related to the real address.
  • I stress that you should ALWAYS sign into your docusign.com account using the @tennessee.edu address to find authentic documents to be signed, as this is the only way to ensure legitimacy and keep it in your DocuSign history.
  • I also want you to forward those scam emails to OIT Abuse using these instructions for Reporting Phishing Attempts.
  • I have also found that DocuSign wants to know about them.
  • So in addition to forwarding to OIT Abuse, please follow the DocuSign instructions to Report security concerns to them.
  • The more we work together to notify the right people about scams, the more secure we can be.

Compromised Websites

• In This Week’s Cybersecurity News, 09/13/2023,  I told you about a new threat that affected sites with plugins that had not been updated.
• The threat preyed upon users who had not restarted their browsers for finishing the latest browser update installation.
• If you are using a third-party web hosting service, please understand how much risk your site may be facing.
  • Does the contract or agreement with the third-party web hosting service contain the necessary language covering what happens in the event the site is compromised?
  • Is it clear who is responsible for keeping the site securely protected (this should be the host since it is their IP space!)?
  • How will they provide proof that the site is cleaned, what happened, how it happened, and what was actually cleaned?
• If the host provider is not willing to take the responsibility when their IP space and any site they are managing is compromised, then you should not do business with them.
• Using the services provided by the ITS Web Team can help mitigate potential risks.
• If you are currently using a third-party host service and you are now better understanding the risks you are facing, please consider moving to an internal site.
• To request the assistance of the ITS Web Team, you can submit a Project Request and see the UTIA WordPress Guide for more information about UTIA’s WordPress environment.
• And if you have any questions or concerns please let me know.

Thank you so much for all you do, including your questions, comments, concerns, and alerts. It’s because of your help that I can better help everyone at the Institute.

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is and I can include it. I do this as a blind copy so student names and addresses will not show up!