Carnegie Mellon University
July 18, 2016

Stay Alert for Email Scams and Ransomware

Dear Faculty and Staff,

I am writing to alert you to a number of recent email-based scams and how they have impacted faculty and staff at Carnegie Mellon.

Earlier this year, I sent an alert about email scams, aka phishing attacks, targeting our community with the goal of collecting login ids and passwords. (See Campus Scam Alerts" on the ISO's website under News & Alerts.) We are now seeing unauthorized use of login ids and passwords gathered during those or similar phishing attacks to change direct deposit information in Workday. No actual payroll losses have occurred thanks to collaborative response efforts but more than a dozen victims temporarily lost access to their Andrew account while the matter was being resolved.

Email scams are also being used to deliver ransomware via malicious attachments or links to malicious websites. Ransomware is a particular type of malware that encrypts all of the files accessible to the infected computer before demanding that a ransom be paid to unlock them. It is one of the fastest growing cyber threats. Without good backup copies of their electronic files, victims of ransomware are stuck paying the ransom or trying to reconstruct their files from other sources. 

We urge the community to remain vigilant for email scams and to follow these safety reminders:

  • Periodically change your password; as we've seen, scammers can easily fake CMU's login pages and they sometimes wait months before using your login id and password - a periodic password change will protect you even if you aren't aware of having been "phished";
  • Check with the alleged sender before clicking on links or opening attachments in unexpected email;
  • Verify URLs or use reliable bookmarks to navigate to university services - especially login pages;
  • Promptly address email that alerts you to unexpected changes to your Workday information;
  • Promptly report any possibility of having shared your login id and password;
  • Verify that you have restorable backup copies of your electronic files and make sure that those copies are not always accessible from your computer since ransomware will attempt to encrypt any storage your computer can access including mapped drives and removable media.

If you receive suspicious email or suspect ransomware or other malware may be infecting your computer, please report as soon as possible to iso-ir@andrew.cmu.edu. The sooner we know, the sooner we can mitigate the impact to you and to the community. Visit the ISO's websites for more security safeguards as well as procedures for responding to suspected compromise.

Please know that Computing Services and campus partners are working on additional ways to help the community mitigate security threats including augmenting traditional login ids and passwords with stronger authentication options. Stay tuned for more information regarding two step login capabilities in the coming months.

From the entire ISO team, thank you for remaining vigilant, reporting concerns, following procedures, and assisting in our response efforts. We need and value your partnership.

Sincerely,

Mary Ann Blair

Director of Information Security

Carnegie Mellon University

412-268-8556