Phishing emails that purport to be a "payroll notification" are actually an attempt to steal your password or personal information. Delete the emails; do NOT open the attachments or enter your BlazerID or password on any links enclosed.

The emails looks similar to the images below:

Phish 012117phish payrollnotification 012317


This email is not related to the campus-wide simulated phishing campaign that UAB IT is using as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
Research Data –The classification of research data depends on several factors such as type of data, and/or contractual elements and thus may fall into any of the classifications defined herein. Likewise, time of release and collaboration effect the classification of research data. As such, certain unpublished research data may be classified as private or sensitive until such time the research is published. 

Likewise, intellectual property that has not been disclosed to or protected by the IIE may need to be classified as sensitive. Additionally, federal laws, rules and regulations (including but not limited to FISMA, HIPAA, FERPA, and Export Controls), sponsor requirements, and UAB policies and guidelines will necessitate a certain classification.  

It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly.  Once classified, the Researcher will need to maintain the data using the appropriate UAB system of record or database with the appropriate access and security controls aligning to the classification standard. For example, not all UAB data storage options are recommended for sensitive data. 

Research data shall also be maintained in accordance with UAB’s Record Retention Policy and record retention schedule. For more information about protected research data please refer to the UAB OVPRED or the UAB IT Data Officer.
University of Alabama at Birmingham

DATA CLASSIFICATION

December 19, 2016

Related Policies, Procedures, and Resources


1.0 Overview

The objective of this data classification requirement is to assist the UAB community in the classification of data and systems to determine the appropriate level of security.


2.0 Objective / Purpose

All UAB data stored, processed, or transmitted must be classified in accordance with this requirement.  Based on classification; users are required to implement appropriate security controls.


3.0 Data Classification Requirements

To classify data in terms of its need for protection, use section 3.1 of this standard.  To classify data in terms of its availability needs, use section 3.2 of this standard.


3.1 Classifying Data According to Confidentiality and Integrity Needs

  Public Data:  Data that may be disclosed to the general public without harm.

  Examples: public phone directory, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters, etc.

  Sensitive Data:  Data that should be kept confidential. Access to these data shall require authorization and legitimate need-to-know. Privacy may be required by Law or Contract.

  Examples: FERPA, budgetary plans, internal communications, proprietary business plans, patent pending information, export controls information and data protected by law.

  Restricted/PHI Data:  Sensitive Data that is highly-confidential in nature, and carries significant risk from unauthorized access. Privacy and Security controls are typically required by Law or Contract.

  Examples: Social Security Numbers, credit card numbers (PCI), personally identifiable information, protected health information, GLBA data, Export Controlled data, FISMA regulated data, log-in credentials, and information protected by non-disclosure agreements.

Note regarding Classification of Research Data: The classification of research data depends on several factors that can and often do change as research progresses. It is incumbent upon the Researcher to know the type of data, the circumstances governing the data, and classify it accordingly.  Click here for more information.

   

3.2 Classifying Data According to Availability Needs

Different types of data have varying levels of importance with regard to availability or reliability of access and use. The following categories may be useful in determining availability needs:

Supportive Data - Supportive data is useful in day-to-day operations, but is not critical to UAB’s mission or core functions.

Examples:  course materials, meeting minutes, workstation images, etc.

High-priority Data - Availability of data is necessary for departmental function.  Destruction or temporary loss of data may have an adverse effect on business unit, college or departmental mission, but would not affect organization-wide function.

Examples:  some financial data, HR data, etc.

Critical Data - Critical data has the highest need for availability. If the information is not available due to system downtime, modification, destruction, etc., the University's functions and mission would be impacted. Availability of this information must be rigorously protected.
Characteristics of Critical Data

Mission Risk: Short-term or prolonged loss of availability could prevent UAB from accomplishing its core functions or mission.

Health and Safety Risk: Loss of availability may create health or safety risk for individuals. (e.g. emergency notification data, PHI, etc.).

Compliance Risk: Availability is mandated by law (HIPAA, GLBA) or by contract.

Reputation Risk: Loss of data will cause significant damage to UAB’s reputation.

Examples:  Emergency notification/contact data, Health care data, Student records.


4.0 Responsibilities for Protecting Institutional Data

All with access to UAB data are required to protect these data appropriately.  There are different mandatory minimum requirements for University and Health System data.

Minimum security requirements for University Data may be found at Protection Requirements Based on Classification.

Minimum security requirements for Health System data may be found at UAB HIPAA Policies.


4.1 Specific Roles and Responsibilities for Protecting Institutional Data

Data Stewards have administrative control and are officially accountable for a specific information asset.  Data Stewards are:

  • responsible for assigning an appropriate classification to the information;
  • accountable for who has access to information assets; and
  • ensuring compliance with policies and regulatory requirements related to the information.

Examples:  VP of Financial Affairs & Administration - financial and HR data; VP of Research & Economic Development - research administration data; Deans and Department Chairs and data from their respective academic area; Hospital Managers or Directors/VPs and data from their respective hospital/clinical area.

Data Custodians safeguard the data on behalf of the Data Steward.

UAB’s central Information Technology (IT) units shall be responsible for protecting all Institutional Data maintained/stored in the institutional information systems.

UAB Health Services Information Services (HSIS) shall be responsible for protecting all Health System Data maintained/stored in the institutional information systems.

UAB Information Security

Members of the UAB and UABHS Information Security teams are responsible for developing and implementing an information security program as well as the supporting data security and protection policies, standards and procedures.

Departmental Security Administrators (DSA)

Each unit or department senior manager will designate at least one DSA who will act as a liaison to the UAB information Security Team.  DSAs oversee information security responsibilities for the departments, including assisting with security awareness and security incident response.

For UAB covered entities, UAB Health System has established the Entity Security Coordinator who will act as a liaison to the UABHS Information Security Team and the Entity Privacy Coordinator who will act as a liaison to the UABHS Privacy Officer.

System Administrators

System Administrators are individuals within the central IT/HSIS or school/department units with day-to-day responsibility for maintaining information systems.  They are responsible for following all data security protection procedures and practices.

Data Users

Data Users are individuals authorized to access UAB data and are responsible for protecting the information assets on a daily basis through adherence to UAB policies.


5.0 Enforcement

Each University / University Health System department or unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance.

The UAB VP of Information Technology Office and UABHS CIO of Information Systems are responsible for enforcing this data classification requirement.

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.


6.0 Exceptions

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, complete the Information Security Exception Request Form.


7.0 Definitions

UAB has adopted the customary Information Security Terms definitions within the NISTIR 7298 Revision 2 Glossary of Key Information Security Terms.

UAB Health System has adopted the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.
A new phishing email claiming to be from UAB President Dr. Ray Watts purports to include an "important announcement" but is actually a phishing attempt. Delete the email; do NOT open the attachment or enter your BlazerID or password on any links enclosed.

The email looks similar to the image below:

Email Watts

This email is not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
The "OneClass" Chrome extension behaves like malware and can attempt to steal user names and passwords. It can affect users of several learning management systems, including Canvas; however, OneClass is not affiliated with Instructure (Canvas) in any way.

When a user installs the OneClass Chrome extension, the plugin asks for permission to "read and change all your data on websites you visit." If a user grants this permission, the plugin places a button in the user's LMS (Canvas or other) labeled "Invite your classmates to OneClass." If the user clicks this button, OneClass sends messages to all of the other users enrolled in the course vis the LMS message system (for Canvas, that's Conversations). Each message says:

Hey guys, I just found some really helpful notes for the upcoming exams for [school name] courses at [OneClass link]. I highly recommend signing up for an account now. That way, your first download is free!

We strongly recommend that you NOT install or use the OneClass Chrome extension or that you remove the plugin if you have already installed it. The “invite your classmates” message acts as a phishing attempt, and the permission the extension prompts users to grant could result in their information being stolen.

To uninstall a Chrome extension, please follow these instructions from Google Chrome.
An email circulating to UAB inboxes with the subject line "Transaction declined" is a phishing attempt to infect your computer with malware.

The email looks similar to the image below:

Malware

This email is not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
A new phishing attempt claims itself to protect email users from spam email. The phishing email, which comes from "UAB Admin Help," is an attempt to steal UAB users' information.

The email looks similar to the one below:

Phishing email 101216The email directs users to this page:

Phishing screen 101216

This email is not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
A new phishing attempt circulating to UAB inboxes asks users to update their email.

The phishing email looks similar to the one below:

Phishing alert 101116

This email is not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
A new phishing scam sends UAB users fake emails from a "Dropbox team" with a link to download a shared document. But when users click the link, they are taken to a fake Dropbox download site.

In the image below, you can see the fake URL for the Dropbox site.

phishing 2 100916
The email, which looks like the one pictured below, is one of several that have circulated since Friday, Oct. 7. 

Phishing 1 100916

These emails are not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
A number of phishing scams have targeted UAB email inboxes in recent weeks, and scammers are faking UAB login pages such as the web email login page, UAB Security Challenge and Central Authentication System.

Two emails pretend to be notices about payroll and appear similar to the emails below: 

phishing payroll 3 100816

These emails are not related to the campus-wide simulated phishing campaign that UAB IT is launching this month as a tool to educate campus users about phishing attacks that attempt to steal personal or financial information. Please visit uab.edu/phishing to get up-to-date information about the latest phishing attempts and tools to help you protect your information. Campus users can also download the PhishMe Reporter tool for one-click access to report phishing attempts. Follow UAB IT on Twitter for alerts on phishing attacks.

If you receive an email with a link such as “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads. Even if the page looks familiar, verify the URL or type in a URL you know before entering your information.

Look at the URL of the website you are visiting. 

To report suspected spam to AskIT, please follow the instructions here or download the PhishMe Reporter button for one-click reporting.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.