- Use different passwords for different online services.
- Make your passwords long and complex.
- Use a password manager (LastPass, KeePass, etc.) to keep track of your passwords so you don't have to remember them.
- Don't click on links in emails. Hover over links in web pages to verify the URL they really go to rather than the text of the link.
- Don't send anything with sensitive personal information through email.
- Block Flash and Java by default with a browser extension. Chrome will block all plugins by default if enabled in the settings.
- Don't call 1-800 numbers listed in pop-ups. Only get tech support by reaching out directly to companies you know (Apple, Dell, Best Buy, ITS department, etc.).
- Run anti-virus and anti-malware software.
- Keep your computer software up to date.
- Use two-step authentication
Email and Web Security: Phishing Awareness
The first step to protect yourself when using email is to realize that email is an open medium – anyone can send you emails. Also, it is fairly easy for someone to change the name that appears as the sender of an email and make it look like the email is coming from someone you trust. When that happens, it's called "spoofing" an email address. Another way that hackers can try to trick you into believing an email is legitimate is to first hack the account of someone you trust, and then use that account to send you fake emails. In both of these cases, it pays to always have a safely skeptical attitude when going through your inbox.
What is "Phishing"?
Phishing is the term used to describe hackers trying to steal your login credentials or other information by sending you fake emails.
"Spear phishing" is a term for phishing that is targeted specifically at you or an organization that you are a part of. With spear phishing, hackers may study you, your colleagues, and the way your organization operates and then try to mimic what you are used to in order to trick you. For example, they may send you an email that looks like it is coming from one of your colleagues or the president of your organization. They may also build fake websites that look like the ones you are used in order to try to get you to sign into those fake websites.
Things You Can Do
- Be aware that email is an open medium just like the web
- Be skeptical of incoming messages, even if they look like they are coming from people you trust
- Use the tools listed below to check the authenticity of emails and websites
- Be wary of attachments and links, especially if they prompt you to sign in to websites or provide credentials to open them. Always navigate directly to websites instead of clicking links in emails.
- Contact a colleague or the Information and Technology Services department for help.
Gmail provides tools for verifying the details of email messages. The easiest of these to use is the drop down arrow next to the sender. Click on it to reveal details. As you can see below, one quick test is to see if the email address of the sender is actually the real address you would expect.
An Obviously Fake ("Spoofed") Dominican Email
Let's assume Jane Smith is an authority figure at Dominican. If you received the email below, you could check to see if email@example.com really sent it. In this case, the email address doesn't look like a Dominican address at all. This is just one way to test the authenticity of an email. Remember that if Jane Smith's email account was hacked, even this check wouldn't be full-proof. But it's a great way to uncover obviously "spoofed" emails.
A Dominican Email That is More Likely to be Legitimate
In the case below, we can see three things:
- The email address looks like a real Dominican email address (good!)
- The email was sent by dominican.edu (good!)
- The email was signed by dominican.edu (good!)
It's is best to navigate directly to websites, and not click links in emails. But how can you tell if a website is legitimate? Look at the address in the top address bar in your browser and learn how to read the path. Details are below.
Examples of Non-Legitimate Dominican or Google Websites
The examples below are NOT Dominican websites. You can tell because the "domain name" (the part that starts the address path right after HTTP or HTTPS is not (something).dominican.edu. Instead it is some other domain, followed by information that is made to look like Dominican in some way.
Example of a non-legitimate Google website:
Note: Dominican business is not always limited to only Dominican or Google websites. Sometimes, we may use other company's services. However, in those cases, you should be aware of those services as being delivered via legitimate companies and web addresses (URLs). Understanding how to read a website address will help you figure out whether a website is providing a legitimate service for the university or not.
Note: Does the "green padlock" in the images below mean a website is legitimate? No. The padlock only means that the information being passed back and forth to that website is encrypted. You'll need to look at the actual structure of the address to determine if the website is legitimate. Details are below.
Examples of Legitimate Dominican or Google Websites
Real Dominican websites will start with dominican.edu or (something).dominican.edu right after HTTP or HTTPS. Below are examples:
Similarly, a real Google website will start with google.com or (something).google.com:
If you have any questions about how to read website addresses, please feel free to reach out to the Information and Technology Services department for assistance.