Phishing attempts threaten not only employees' personal information but also University resources, according to the latest issue of the IT Risk Bulletin.

The December issue of the bulletin, a joint effort of the of UAB, the University of Alabama, UAB Health System and the University of Alabama-Huntsville, provides tips on avoiding getting "phished."

• If you get an email, instant message or phone call in which you are asked for financial or personal information, do not reply or click links within the message.

• Never provide sensitive personal or financial information through email.

• Do not click links in potentially fraudulent email. A link that looks like it points to a valid Web site could be forged or cause your computer to download malware.

For more tips and to see past issues of the bulletin, click here.
“Your paycheck has been compromised.” That’s the kind of subject line you’ll see in a phishing email that’s trying to trick you into revealing personal information — like your BlazerID and password.

But if you fall for it, your paycheck — and all of your other personal information — truly could be compromised.

UAB has been under attack from scam artists and phishing e-mails. Dozens of individuals have fallen victim to the attacks and have had their e-mail accounts compromised and used for malicious purposes.

Users whose accounts are compromised will have their passwords revoked. The recommended method to reset them is through BlazerID self-service, particularly during the holidays when AskIT will have limited hours. AskIT will be closed on Thursday, Nov. 27, and Friday, Nov. 28, and will reopen at 9 a.m. Saturday.

Scam e-mails typically increase around the holidays, so take steps now to be able to recover your password by registering for BlazerID self-service.

Be extremely cautious about any e-mail message that claims to be from UAB, and NEVER provide your password in response to an e-mail communication.

Follow these additional tips to avoid being a victim:

• Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.

• Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.

• Verify the address. Malicious Web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).

• Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.

• If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.

• Don’t open attachments. They may contain viruses or malware that can infect your computer.

• Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.

• Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555.  Hospital employees can call the HSIS Help Desk at 205-934-8888.



Social media has changed the way we interact with each other, but while they have made some things easier for us, they have also made it easier for us to be a target for security risks.

The November issue of the IT Risk Bulletin, a joint publication of UAB, the University of Alabama, UAB Health System and the University of Alabama-Huntsville, offers some practical tips for staying safe online.

Among them:

• Keep private information private. Do NOT post your Social Security number, banking PIN or other personal information.

• Use the social network’s privacy and security settings to control what you post.

• Only approve friend requests from people you know.

For more tips and to access previous IT Risk Bulletins, click here.

Microsoft released a new critical security update on Nov. 18, 2014, that resolves a Windows vulnerability regarding privileges.

The vulnerability in Microsoft Windows Kerberos KDC could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator.

An attacker could, according to Microsoft, use those privileges to compromise any computer in the domain.

The update requires a restart.

For more information, visit https://technet.microsoft.com/library/security/ms14-068

Page 2 of 5