Rutgers.eduDuring periods of local, national, or global crises — global pandemic (i.e. COVID-19) or natural disaster (i.e. Hurricane Sandy), etc. — and other global events (like the Olympics), threat actors are hard at work taking advantage of vulnerable individuals, systems, and government resources for financial, political or other gain. Unfortunately, these national or global events provide opportunities for threat actors to employ various cyber threat strategies from ransomware to social engineering. These attack methods allow them to gain access to passwords, networks and other data or systems that lead to theft, fraud, or other undesirable outcomes like healthcare interruptions or power outages.
With these issues in mind, the Office of Information Technology encourages all members of our community to exercise caution to avoid scams and report cyber threats that seek to exploit any global or national crises.
The Federal Trade Commission, FBI, and Center for Internet Security are a few of the trusted sources that regularly report various scams and cyber threats currently being exploited against the public and private sectors. Below you will find some examples of current scams to be aware of, and the ways in which you can report these scams at Rutgers.
| Cyber Threat | Tip |
|---|---|
| Unemployment fraud: An unstable job economy due to Covid-19 and other global events has forced states to expedite unemployment claim reviews, and scammers are taking advantage. Fraudulent unemployment claims made with stolen social security numbers and other personal data have skyrocketed post-pandemic, both in New Jersey and across the country. | A few things to be on alert for include the following:
|
| Phishing exploits – Email and other scams: Cyber threat actors will utilize emails, texts and even phone calls to spread fear as a social engineering tactic. Their goal is to get individuals to click on links that may contain malware or redirect users to bogus websites, send money or cryptocurrency, or divulge sensitive Rutgers information. Misinformation can also be used to influence behavior, such as to mislead the public about national or global events. These phishing scams may also request individuals to provide personal, healthcare, or financial data. Note: Other threat opportunities may involve scams that exploit proposed government assistance efforts — i.e. location of testing sites; government stimulus funds and associated programs; etc. | Never respond to, click on links, or open attachments in emails or texts from unknown sources, and always verify a caller is who they say they are before providing any information. It is always important to know the different ways in which the university, your physician, and other professionals typically interact with you. For example, Rutgers IT will never ask for your password to be sent via email. No matter the scenario, certain behaviors or processes will not change, so any deviation of the norm can be suspicious! Individuals: DO NOT provide personal, healthcare or financial data via email, text, a website, or over the phone unless the source has been verified. Faculty & Staff: VERIFY changes to or requests for payments. Ensure that third-party vendors know the protocol for submitting payments to the university (to avoid wire fraud or purchase order scams). Ensure that faculty know that deans and department chairs will never send them an email request to purchase gift cards (BEC scams). Always verify the source of any email, text or phone call request for personal, financial or other restricted data (see Information Classification Policy 70.1.2 for each data classification definition). |
| Bogus websites: Cyber threat actors are notorious for “spoofing” websites, i.e. creating false copies of legitimate websites to mislead the public. Common approaches involve copying the login screen of popular services (banks, Microsoft Office, Dropbox, social media, e-commerce sites, or even the University) to steal login or financial information, as well as spread misinformation on national or global events with false news articles or ads. | To avoid falling victim to these scams, always use trusted resources for information and VERIFY the service you are trying to log into before entering your password. One way to verify a website is legitimate is to double-check the URL (in the address bar at the top of your web browser). If the URL doesn’t start with ‘https’ or doesn’t match what you would expect (for example, ‘www.rutgers.com’ instead of ‘www.rutgers.edu’), DON’T log in! |
| Social media exploits: Social media provides threat actors with a lot of information they can use for social engineering attacks and spreading misinformation. These attempts can include fake news articles, ads, or other messages to influence victims into providing their personal information to purchase products or sign up for services. Threat actors will also utilize social media for bogus crowd funding requests, ‘romance scams,’ marketplace fraud, and more. | Even if someone on social media appears legitimate, exercise caution when choosing who to interact with online. Cyber threat actors are very savvy and can spoof or compromise legitimate social media accounts for financial exploits. |
| Mobile device exploits via texts or apps: Cyber threat actors can utilize links within texts, downloadable files/images, or legitimate-looking mobile apps to download malware to your device and steal personal and/or financial information, activate your microphone or camera without permission, or lock your device and demand payment (ransomware). | Clicking on links, saving files/images, or downloading apps on our mobile devices should never happen without first verifying the source is legitimate. Always double-check the permissions an app requests access to; if a mobile app asks for something unnecessary (like access to your camera or location), reconsider clicking ‘Allow’! Avoid falling victim to these scams and get updates via trusted sources as outlined in this article. DO NOT click on links sent via text from unsolicited sources. |
| Internet of Things (IoT) and “Smart” Devices: When designing and manufacturing “smart” devices, frequently a company’s focus is more on features, less on security. Devices that rely on Bluetooth or your home’s WiFi connection may have security loopholes or vulnerabilities that cyber threat actors can use to launch an attack on your network, either to steal information or conduct reconnaissance for a future social engineering scam. | Always change the default password that come built into a device with a strong, unique password, and enable multi-factor authentication if available. Keep a running inventory of smart devices in your home so you know what is connected to your network at any given time. Regularly update devices with security patches when available, and if you haven’t used a device in a while, consider disconnecting it from your network. Always factory-reset smart devices (if possible) before throwing them away or giving them to others to avoid potential data loss. |
How to report cyber threats
Whether you are working at the University or working/learning remotely, it is important to report any suspected scams, breaches, or theft to the appropriate parties as soon as possible to avoid additional impact. Learn how to report and what actions you should take.
Additional resources
Always utilize approved university IT resources and/or equipment when conducting university business.
Below is a listing of the various technology resources from Rutgers that should be utilized by faculty, staff and students.
- Technology Tools for Faculty
- Technology Resources for Students
- Technology Resources for Working Remotely
- IT Policies
- Reporting Suspected Scams, Breaches, or Theft
- Information Security Office website
- Digital Resources for Information Security Compliance and Awareness
*The information on this page was developed by the Office of Information Technology information security team.