+

Beware of Phishing Trap

/in /by
“Phishing” is a trick in social engineering. Cybercriminals usually use phishing to trick the victim into some kind of expected behavior. Social engineering is the core of all phishing attacks, especially via email. The advancement of information technology makes phishing simple. It is very fast, inexpensive and low-risk to set up and operate phishing attacks. Any cybercriminal can launch such attacks.

Before replying to any email, you must confirm the identity of the sender, especially if the email involves sensitive content such as money, personal information or account password, etc. please pay special attention. Usually, a phishing email will contain one or more characteristics as below:

1. Be aware of the non-official email address domain. For example, a notice from ICTO Help Desk is unlikely to come from the following email addresses. Please note that if an email address is shown with a display name, it may not be used to verify of the sender’s identity. For this case, you need to verify the sender’s email address in “< >” or “[ ]”;

  • @ — For official email, it is unlikely to come from third party email service;
  • @ — @connect.um.edu.mo is used in the student and alumni service but not an official staff email address.

2. Beware of attachments — Email attachment is the most common platform for malicious software. When you get a message with an attachment, DO NOT open it unless you are expecting it and absolutely certain that it is legitimate;

3. Urge to do something is one of the typical phishing characteristics, an urgent call to action makes you more likely to cooperate, e.g. urge to perform account verification, purchase some prepaid cards, money transfer, etc. If a message states that you must act immediately or you will lose access, so you must calmly deal with it. Cybercriminals often use intimidation and hope you will follow the action without thinking;

4. Incorrect URL link — It will take the recipient to a fraudulent website instead of the genuine links;

5. Fake email signature — Hackers may obtain the email signature from somewhere. Even if it looks real, you are not recommended to identify the authenticity of email with the email signature. However, if the sender’s email signature is unusual, you need to pay special attention;

6. Do not trust the sender’s photo — Hackers may obtain someone’s photo from somewhere, e.g. social media website;

7. Using different communication channels — For any suspicious requests, you can use different communication channels to determine the authenticity of the email sender. For example, instant messaging apps, or voice call, etc.

Reference

Data Privacy and Skills in Using Email

/in /by

In today’s information age, email service has become an indispensable communication tool in daily work, as well as one of the major communication tools. Hence, email security are becoming more and more important. For external attacks such as telecommunications fraud and malware attacks, although user’s information security awareness is increasing, the possible problems arising from the use of email cannot be ignored. In particular, for any jobs that involved personal data, you must handle them with special care. To further enhance users’ skills in using email more secure, here are some security tips:

  • Before sending an email, you must review the email content, attachments, and the recipients’ email addresses;
  • Before replying to email, you must confirm the identity of the sender. Do not reply to the email casually. For those emails that involve sensitive content such as money, personal information or account password, etc, please pay special attention;
  • Before forwarding emails, you must understand whether the email content, which included attachments and contents of reply history, is suitable for forwarding. You can also consider extracting some necessary contents instead of forwarding the entire email. Do not arbitrarily forward unconfirmed content, so as not to spread the rumors;
  • To consider carefully the necessity of mass emailing and make good use of email system resources. For more details, please refer to the “Guidelines for Mass Email and E-mail Groups“;
  • Be aware of using “Reply to all”. It may cause unnecessary distortion. Please carefully consider the necessity;
  • Make good use of Bcc., to ensure that the recipients are not allowed to see each other’s email addresses, thus protecting the privacy of each recipient;
  • Note the email contents and attachments. Do not send too much content or attachments, especially personal information. If it contains sensitive content, you must consider whether it is suitable for transmission via email. In addition, the use of email must also comply with the policies of the University and existing local laws and regulations, as well as other laws that may need to be complied in other jurisdictions. (Please refer to the Reference information.)
  • Do not rely on “email recall”! Actually, the email recall is a facilitating function that can only minimize the impact, but it cannot guarantee recalling the email you sent successfully.

In addition, users can get used to writing emails before filling in the recipients’ email addresses, so as not to send unfinished emails by mistake. If you need to select an email address from the contacts, be careful when selecting an email address as some email addresses may look similar.

 

* Reference information

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. Acceptable Use Policy on ICTO Computing Facilities Campus Network and Internet
  6. Guidelines for Mass Email and E-mail Groups
  7. How can I identify a phishing, fake email and websites?
  8. What you need to know about EU General Data Protection Regulation?
  9. Data Privacy in an Era of Compliance
  10. Other Information Security Tips

Data Privacy in an Era of Compliance

/in /by

“Compliance” means conforming to laws, regulations, standards and other requirements.

Nowadays, Internet is essential for everyday life. However, do you know Internet contains large amount of data about you? Whenever you play a game, online shopping, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.

Similarly, our daily work may require us to collect, process, and store the personal information of others. Whenever we handle such information, we need to think about how we want our own information treated and treating other people’s data with the same care and respect.

Tips for protecting your personal data:

  • Know what you are sharing. Check the privacy settings on all of your social media accounts. Some of them may include a wizard to guide you walk through the settings. Always be cautious about what you post publicly;
  • Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, you should consider whether the necessity and the security level of the site;
  • Be aware of phishing email and fake website. Your personal information may be phished! *6

Tips for protecting the information, identity, and privacy of others:

  • Know what laws, policies and guidelines are applicable. They govern how to collects, processes, stores, and deletes the personal data of constituents;*1,2,3,4,5
  • Use the data only for its intended purpose. If you need to use data for another reason, always check the above policies and guideline first;
  • Do keep constituents’ personal information confidential and limit access to the data;
  • Destroy or de-identify private information when you no longer need it.

* Reference

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. What you need to know about EU General Data Protection Regulation?
  6. How can I identify a phishing, fake email and websites?

How to Protect Your Data and Devices While Traveling

/in /by

Traveling today is so much easier with technology. You can stay productive, entertained, and in touch. For many, having a cell phone or other electronic device is a critical part of having a great travel experience and an integral part of daily life. Unfortunately, traveling with devices can mean increased risks for keeping your personal data private as well as the potential for device theft.

Here are some steps you can take to help secure your devices and your privacy.

  • Travel only with the data that you need. That means leaving some of your devices at home, using temporary devices, removing personal data from your devices, or shifting your data to a secure data storage;
  • Protect your data. Perform a full backup of the data that you leave at home and consider enabling encryption feature for your device;
  • Update any software, including anti-virus protection, to make sure you are running the most secure version available;
  • Turn off Wi-Fi and Bluetooth to avoid unexpectedly automatic connections;
  • Turn on “Find My [Device Name]” tracking and/or remote wiping options in case it is lost or stolen;
  • Well prepared. Especially, charge your devices before you go;
  • Be aware of the risk of committing an offense. Clear your devices of any content that may be considered illegal or questionable in other countries, and verify whether the location you are traveling to has restrictions on encrypted digital content;
  • Don’t overlook low-tech solutions:
    • Tape over the camera of your laptop or mobile device for privacy;
    • Be aware of people “shoulder surfing” for personal information;
    • Keep your devices on you whenever possible, or use a hotel safe;
    • Label all devices in case they get left behind!

Shop Safe Online Tips!

/in /by

The holiday season is the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. When you go to the grocery store or local shop, it’s habit to grab your reusable bags, and make sure you’ve safely put away your credit card or cash before heading home with the day’s purchases. Similar precautions need to be taken when you’re shopping online from the comfort of your own home. If you make these simple precautions regular online shopping habits, you’ll be protecting your purchases and personal information.

These basic steps so you’ll be ready to online shopping safely and securely. (including online ticketing, airline booking, hotel reservation, etc.)

  • Keep update machines. Before searching for that perfect gift, be sure that all connected devices—including PCs, smart phones, and tablets—are free from malware and infections by running only the most current versions of software and apps.
  • Shop reliable websites online. Use the sites of retailers you trust. If it sounds too good to be true, it probably is!
  • Conduct research. When using a new website for your online shopping, read reviews and see if other customers have had a positive or negative experience with the site.
  • Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.
  • Check the address bar. Look for the padlock icon and https:// in the URL before using your credit card online. If using a mobile app, you must use an official app.

Don’t Let a Phishing Scam Reel You In

/in /by

Cybercriminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via email. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an email address can launch one.
According to Verizon’s 2018 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you’re up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate organization or department  will ask for your user ID and password or other personal information via email. ICTO definitely won’t. Still not sure if the email is a phish? Contact ICTO Help desk.
  • Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, don’t open it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they’re trying to imitate. There’s nothing to stop them from impersonating University, financial institutions, retailers, and a wide range of other service providers. If you get a suspicious message that claims to be from an organization, use your browser to manually locate the organization online and contact them via their website, email, or telephone number.
  • Check the sender. Check the sender’s email address. Any correspondence from an organization should come from an organizational email address. A notice from your college or university is unlikely to come from @.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don’t click links in suspicious messages. If you don’t trust the email (or text message), don’t trust the links in it either. Beware of links that are hidden by unknown URL shorteners or text like “Click Here.” They may link to a phishing site or a form designed to steal your user ID and password.

Reference

How can I identify a phishing, fake email and websites?

Data loss happens all the time. Do you have a data backup plan?

/in /by

Among the information security measures, having a good backup plan is very important. Actually, the only way to protect yourself against valuable data loss is through regular backups. Ideally, backup of important files should be done at least once a week, or every day, depending on how critical they are to you.

Occasionally, we notice the incidents about losing important documents or valuable family photos due to the hard disk crashed or mobile phone misplaced. In addition, you might be the victim of ransomware or any malicious attacks, which causes you to reinstall the computer with no choices and give up the data stored in the computer. Currently, the computers provided by ICTO are installed with automatic backup programs by default. However, for some computers which were not provided by ICTO, it is easy to be neglected about data backup. Therefore, in order to make it easy for you to develop a safe and reliable backup solution, here are some tips which may help you:

  • Data loss happens all the time, but it is entirely preventable. You just need to create a backup plan;
  • Your critical data should never be stored in a single location;
  • The ideal backup solution will typically include both a cloud based backup (e.g. Cloud Drive and Cloud Backup Service) and an offline backup utility (e.g., external hard drives, flash drives) to ensure your data is secure no matter what happens to your mobile device or computer;
  • Choosing a backup software with simple operations and automatic backups function will take you less time to set up and maintain;
  • Regularly test your backup solution to ensure you can recover your data in the event that you do actually need to restore from a backup.

Besides computers, it is also necessary to conduct data backup for mobile devices. Currently, popular mobile devices usually provide built-in data backup features. For more details, you can refer to the official information of your mobile device. In case of choosing a cloud service, you must consider a secure and reliable service provider, no matter it is a free or paid service. In addition, most cloud service providers have data centers in different regions, and most of them will be located outside Macao. In case of using cloud services that involve the storage of sensitive data, it is important to consider whether they comply with relevant University policies and local laws and regulations. *1,2,3,4,5,6,7

* Reference

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. What you need to know about EU General Data Protection Regulation?
  6. How can I identify a phishing, fake email and websites?
  7. Data Privacy in an Era of Compliance

What you need to know about EU General Data Protection Regulation

/in /by

The General Data Protection Regulations, EU (GDPR) has been effective since 25 May, 2018. If involve the collection and processing of personal information from European Union. Besides complying to the University policies and the existing local laws and regulations, the related responsible unit must consider if the new EU regulation is applicable. In case of using third-party services, the related policies, laws and regulations must be considered if applicable. For details, please refer to the official website of EU-GDPR and the Macao Personal Data Protection Office Leaflet (Chinese version)