Phishing and 2FA at NC State

Phishing and 2FA at NC State


If you think phishing is no big deal, consider
this: about half of NC State’s email traffic is either spam or phishing attack.
That’s about 500,000 bad messages every day! Our systems stop 99%, but just one phishing
attack can trick hundreds of NC State students, faculty and staff into sharing their personal
information or opening the gates to valuable NC State data. Think the worst case scenario is losing access
to your email account? Think again. Matt*, an NC State student, got an email that looked
like it was from the NC State Help Desk needing him to verify his information. He replied with his Unity ID and password. The hackers then logged in to his NC State
email and used it to reset his Amazon password. Then, they shopped on Amazon using his saved
credit card. Kim*, an NC State student, got an email offering
her an assistantship with a professor. She replied and filled out a job application,
which included her home address, birthdate, and social security number. Kim just gave her information to a criminal
who could steal her identity or sell her data on the dark web. Tom*, an NC State employee, clicked a link
inside a phishing email that sent him to a fake login screen that looked almost exactly
like NC State’s. After he entered his Unity ID and password,
the hackers logged in to MyPack Portal and used his payroll information to take out payday
loans for thousands of dollars. So, what can you do to protect yourself? First, enable two-factor authentication, also
known as 2FA or two-step. Here’s how it works: first, you enter your
username and password as usual. Then, verify your identity by approving a
popup message on your smartphone or entering a code texted to you or generated by an app.
2FA prevents up to 98% of unauthorized account access by hackers because even if they have
your password, they don’t have your second factor. So NEVER share those codes or approve a 2FA
push notification that you didn’t request. Enroll in both of NC State’s 2FA solutions–
Google 2-Step for Google and Duo for Shibboleth protected services like MyPack Portal and Moodle– and
learn more at go.ncsu.edu/2FA. And if you fall for a phishing attack and
you’re not already enrolled in 2FA, OIT protects your account by requiring you enroll
under the “one phish, two step” policy. Next, always be suspicious. Does the email seem strange? Is it badly written, or is the “from”
address weird? Is it asking for personal or private information? Or do the “consequences” seem unreasonable,
like turning off your account if you don’t respond within 24 hours? Before clicking a link, check to see if it’s
taking you someplace unexpected by hovering over it or pressing-and-holding if you’re on mobile. Better yet, open a new browser window and
go directly to the site instead. If you’re not sure if an email is phishing,
forward the message to [email protected] and we’ll tell you if it’s legit. And no one from the NC State Help Desk will EVER ask for
your password or two factor codes, so keep them secret!

Leave a Reply

Your email address will not be published. Required fields are marked *