Threat Archives
Cybercriminals often reuse or create a variation of past scams, read through our threat archives to learn more about how to stay Cybersafe.
Many recent cyberattacks have targeted colleges. Among them:
- The recent hacking of the Democratic National Committee before the election was facilitated by stolen email accounts from a prestigious university.
- At Michigan State University, unknown attackers gained access to a database with records on 400,000 current and former students and stole social security numbers, student ID numbers, and dates of birth.
- Rutgers University was hit with a number of “distributed denial of service” (DDoS) attacks that interrupted some of its systems; the longest lasted five full days. Rutgers had invested $3 million in cybersecurity—but that didn’t prevent the attacks.
- Two University of Southern California hospitals were hit by a ransomware attack that made hospital data inaccessible to employees. Healthcare and financial services companies and even police departments have been forced to pay ransoms to restore data.
Below is a collection of all they Cybersecurity threats that have impacted or targeted members of the FIT community since the Cybersafe campaign began in 2016.
Beware of phishing emails claiming to be from FIT’s Human Resources Department
What happened?Earlier today an employee in an administrative office received a very targeted phishing email. The email subject line was “Fitnyc Payroll/Benefits Plan On October 5, 2023 at 02:12:42 PM” and claimed to be from FIT’s Human Resources Department. This email was certainly a phish and had a malicious attachment. The subject line included a unique timestamp […]
Office 365 Phish Spoofing FIT Domain
What happened?We have just been made aware that some FIT employees and students have received three different phishing emails appearing with the subject lines “You have 5 new held messages 12/17/2020″, “Mailbox quota notification for,” and “Notice: Account Update.” All three emails pretended to be related to Office 365 and, in some cases, were spoofing […]
SPAM Emails with fake job offers
FIT has seen a large increase in spam and phishing emails, aimed at both students and employees. They claim to be discussing lucrative job offers from CareerBuilder and other sources. We have reason to believe these emails are fake, aimed at getting recipients to contact the sender and divulge personal information.
Beware of spear phishing
What happened?The FBI is investigating widespread cybercriminal activity targeting college and university students via spear phishing. Spear phishing, in contrast to traditional phishing, involves highly targeted phishing emails sent to a specific group of individuals—in this case, students with federal student loans. In these more sophisticated phishing attacks, the bad actor will contact the student […]
Scam calls targeting FIT Students
What happened? We received multiple reports of scam phone calls that are targeting FIT students. These calls are from suspicious individuals pretending to be FIT employees asking the student to verify the last four digits of the social security number and to “go over their student file.” What should you do?If you received a phone call […]
COVID-19 Cyber Scams
What happened?We write to remind you to remain vigilant against cyber scams related to the coronavirus (COVID-19). Information security authorities have seen a rise in phishing attempts where the bad guys are spoofing government agencies taking advantage of the COVID-19 narrative. Examples of these scams include:Phishing emails, texts, and phone calls with the subject “COVID-19 […]
Use of Zoom with FIT account disabled on 5/5
Read Full Zoom Advisory from the Department of Homeland Security here. UPDATE: Effective on May 5 at 12noon the ability to link Zoom to your FIT Google account will be revoked. Email sent to All FIT Employees on Wednesday, April 29th: The Division of Information Technology continues to support the FIT community while we work […]
Beware of Google alert links
Google Alerts is a useful service that allows you to receive emails when new pages appear in the Google search index that are related to specific keywords, such as “FIT.” Unfortunately, there is a new scam that takes advantage of this feature. Recently bad actors have begun injecting malicious sites into the Google search indexes […]
Instagrammers Beware: New Scam Uses Fake Two-factor Authentication
Two-factor authentication (2FA) is a security feature designed to prevent unauthorized access to many online accounts, like your email account and your social media accounts. If you enable two-factor authentication, you’ll be asked to enter a special login code or confirm your login attempt each time access to your account is attempted from an unauthorized […]
Phishing scams take advantage of recent tragedies
We’ve been advised by SUNY’s information security team that cybercriminals are leveraging the recent tragedies in New Zealand and Ethiopia as pretexts for email phishing attacks. Unfortunately, hackers will take any advantage of incidents like these to steal money and information, and/or plant malware. (Please see our similar advisory from last September regarding phishing attacks based […]
Is a Criminal Intercepting on your USPS Mail?
Criminals seeking to steal identities are abusing the U.S. Postal Service’s Informed Delivery, a service that allows you to digitally preview your mail and manage package delivery. The scam takes advantage of the weak verification method used by USPS to authenticate new customers; USPS uses information available on websites like spokeo.com, zillow.com, and social media […]
Hurricane Support Cyberscams
Cybercriminals often try to capitalize on the outpouring of support for those impacted by natural disasters to trick those seeking to help to reveal private information or downloading malicious software. Numerous scams are circulating via email and social media from cyberattackers hoping to take advantage of people looking to help those affected during hurricane season. […]
Summer Job Posting seen on Campus
Several “summer job opportunity” fliers have been spotted around campus. This multi-level marketing company did not have permission to post their fliers on campus. IT would like to take this as an opportunity to remind the FIT community that cyber criminals also try to take advantage of college students looking for work, wanting to make […]
SUNY Phishing Attack
What happened? SUNY is reporting that many campuses are experiencing a phishing attack. At least one person at FIT was targeted. This attack is particularly clever in that clicking the infected link or button in the email redirects you to a site that harvests email addresses and subject lines in your email account, and uses […]
SUNY Phone Scam
What happened? We’ve been made aware of a phone scam targeting students at other SUNY campuses where criminals are impersonating SUNY Admissions or other administrative offices and asking for sensitive information. To give the appearance of credibility these attackers are also using a technique called “caller ID spoofing” to make it appear that the call […]
Beware of “Sextortion” Hoax
What happened? There has been a reported increase in the number of government employees reporting “sextortion” hoax emails throughout the country and we’ve had at least one report at FIT this week. In this phishing scam the perpetrator threatens to release compromising webcam footage if the victim does not pay a ransom. This is another […]
Caller ID 911 Spoofing
Your phone rings and the Caller ID displays “911”. You answer it immediately because “911” is synonymous with emergencies. The operator tells you that someone close to you has been a severe accident. You are very shaken and concerned. The operator proceeds to ask you several personal questions to help them with the care of […]
FedEx Malspam
What happened? “Malspam” is short for malware spam—a word to describe any malware that is delivered via email. A malspam campaign that is currently circulating mimics a FedEx shipping confirmation with a person’s real name, Social Security number, and a “tracking number.” Victims that click on the link will be redirected not to a FedEx […]
Phishing emails mimic college initiatives
What happened? Recently one of the other SUNY campuses experienced a spear phishing attack (personalized phishing attacks that appear to be from a trusted source). The attacker sent an email purporting to be from the institution’s president regarding a new business integrity program. The emails had the correct branding and trademarks of the institution and […]
Beware of Olympics Related Malicious Activity
Cybercriminals have historically used high-profile events, such as the Olympic Games, to disseminate malware and conduct scams, fraud, and cyber-espionage. It is highly likely that cybercriminals will recycle old tactics such as Olympic-themed phishing emails, malvertising, and malicious mobile apps, as well as develop new methods to compromise target devices and accounts. Similar campaign tactics […]
Beware of Olympics Related Malicious Activity
Cybercriminals have historically used high-profile events, such as the Olympic Games, to disseminate malware and conduct scams, fraud, and cyber-espionage. It is highly likely that cybercriminals will recycle old tactics such as Olympic-themed phishing emails, malvertising, and malicious mobile apps, as well as develop new methods to compromise target devices and accounts. Similar campaign tactics […]
Email Fraud Targeting Students
What happened? A sophisticated email phishing scam targeting SUNY students is currently active. In this latest scam, the attacker pretends to represent a college IT department, sending an alert that claims that recent system maintenance caused them to lose student user IDs and passwords. The email includes a link for the student to re-enter their […]
Meltdown, Spectre, and More—Protect Yourself from the Latest Security Threats
What happened? Multiple cybersecurity flaws have been discovered recently that leave nearly every computer and phone vulnerable, allowing cybercriminals the ability to access your private data: passwords, credit card details, photos, etc. Meltdown affects laptops, desktop computers and internet servers with Intel chips. Spectre affects some chips in smartphones, tablets, and computers powered by Intel, […]
Stay Cybersafe—Avoid Holiday Scams
Don’t give cybercriminals the gift of an easy target this holiday season. Stay off the cybersecurity naughty list by avoiding falling for these scams: Phony Shipping Status Emails You are likely expecting more package deliveries this time of year a fact cybercriminals seek to exploit by sending fake shipment and delivery notification emails and text […]
macOS High Sierra Security Threat
What happened? A security flaw in the macOS High Sierra allowing attackers to bypass administrator authentication without supplying a password was discovered Tuesday, November 28 and a patch released by Apple on November 29. How does it impact the FIT community? Campus computers, including office, classroom and lab computers are not impacted by this threat […]
“Bad Rabbit” Malware
You may have seen media coverage this morning about another widespread ransomware attack, called “Bad Rabbit,” that has impacted thousands of computers in Europe. Ransomware is software that encrypts your files and then demands payment to the attacker for the decryption key. While there have been few reports of attacks in the United States so […]
Equifax Breach: What You Need to Know
What happened? Equifax, one of the three nationwide credit-reporting bureaus, announced Thursday that they were the victims of a data breach in which cybercriminals stole the information of nearly 143 million people. The data exposed includes names, Social Security numbers, birth dates, addresses, and ID numbers of some driver’s licenses. The credit card numbers of […]
Cyberextortion
The use of extortion by cybercriminals has been increasing recently. Cyberextortion is when cybercriminals demand payment to stop malicious activity against the victim, such as the release of data. In an increasingly common form of cyberextortion, the victim receives an email saying that their information will be disseminated to the public, family, and friends if […]
Apple iOS Vulnerability “Broadpwn”
What happened? The latest patch for Apple’s iOS 10.3.3 fixes a vulnerability being called “Broadpwn.” An attacker in proximity to unpatched devices can potentially take control of the device without the victim’s knowledge. This could include turning on the microphone or camera, or accessing data or photos on the phone. The patched vulnerability arises from […]
Phishing Moves to SMiShing
Cybercriminals are increasingly targeting you through your smartphone. Attackers send texts that trick you into doing something against your own best interest. This type of security attack is called SMiShing, short for “SMS phishing” trick the target into downloading a Trojan horse, virus or other malware onto their cellular phone or other mobile devices or trick the target into revealing […]
New Malware Threat Activates by Hovering Over Link
What happened? A new security threat allows malicious software to be installed on computers running Microsoft Office. The target users receive an email with a Powerpoint attachment. If they click to open the attachment the link “Loading…Please wait” appears. When they hover over the link the malware installs automatically if they are using Microsoft Office […]
“WannaCry” Ransomware Attack Infecting Machines Worldwide
What happened? A hacking tool created by the NSA that was leaked earlier this year is now behind a massive ransomware attack happening around the world. The ransomware, called “WannaCry,” locks down all the files on an infected computer. The victims monitor shows a message “Oops, your files have been encrypted!” and demands they pay $300 in […]
Google Drive Scam – What to do
Yesterday, you may have received invitations in either your FIT or personal Gmail accounts to share a Google Drive document from a recognizable name at FIT, mailing list you belong to, or personal contact. This was a nationwide email phishing scam that lured the reader to click on an “Open in Docs” button. When individuals […]
Sign Out or Remove your Google Account Remotely from Devices
Log into your Google AccountGo to the My Account Page (https://myaccount.google.com/)Click on Device Activity and Notification Under recently used devices click Review Devices From the list find the lost or stolen phone or device and click “remove”
Help Desk Email Spoof
An email spoofing FIT’s TechHelp was sent to some employees, who correctly identified the message as a Phishing attempt. If you received an email with the Subject: ALERT: Email Scams at FIT, do not click on the links and report the email as Phishing. The email is not from the Division of Information Technology. If you […]
Fake Dropbox Invitation Phishing Email
FIT and other SUNY campuses have recently seen a number of spoofed requests to open documents in Dropbox. The requests come in email and appear to come from legitimate FIT email addresses, but the “sender” is not someone who would communicate with you over Dropbox and the subject line is blank or nonsensical. The phish […]
W-2 and Tax Scams
In 2017, approximately 30% of all reported data breach incidents were related to the theft of W-2 information, which was likely used for tax fraud. -IRS It is that time of year again, tax time! Every year thousands of people fall victim to tax scams. Criminals use many tactics to fool individuals, payroll and tax professionals. […]
Recent Scams Focus on Employment
Cyber criminals are taking advantage of college students looking for work and wanting to make extra money during their limited free time. Scammers target student emails and places students look for work and to connect with employers. Below you will find some of the scams meant to target students looking for a job. Phony Job […]
New Phishing Scam Mimics Gmail Login Page
How the Phishing attack works The newest phishing scam is so “efficient” that many experienced technical users have reported falling for it. The scam tricks Gmail users into revealing their login credentials.The phishing attack starts with an email that contains what appears to be an attached PDF document, but is, in reality, an embedded image […]
Blackboard Phishing Email – OneClass Chrome Extension
SUNY has reported that users at many colleges that use Blackboard are receiving emails similar to the one below, trying to get them to download course notes. “Hey guys, I just found some really helpful notes for the upcoming exams for FIT courses at https://oneclass.com/s/signup. I highly recommend signing up for an account now that […]
Lynda.com Data Breach
December 21 Update Earlier this week we informed you that Lynda.com suffered a data breach. Additionally, some of you may have received an email from Lynda.com directly advising you about the breach. In almost every case the information that was exposed was name, FIT email address, and the list of courses taken. Lynda.com also informed […]
Second Yahoo Account Breach
In September we shared a warning of a 2014 breach of Yahoo accounts that was discovered this year. On December 14, Yahoo announced that over 1 billion accounts might have been compromised in a separate attack in 2013. As with the previous attack, Yahoo warns, the account information may have included names, email addresses, telephone […]
Tech Support Scams
There has been a recent increase in scams targeting colleges. In a typical scenario, a caller poses as an employee of a big-name computer company such as Microsoft or Dell and tells the victim that their computer is infected with a virus and it needs to be remedied. If successful, the scammer convinces the victim […]
Online Scammers Target Student Tuition Payments
Did you know that scammers could be after your credit card information and your money? Scammers use social media and word-of-mouth to target student populations at U.S. colleges and universities by claiming to offer discounts on school tuition if the student makes a tuition payment via the fraudulent site. The victims are subsequently asked to […]
Yahoo Cyber Security Breach
You may have seen on media outlets that Yahoo has confirmed information from 500 million of its accounts was stolen in 2014. According to Yahoo, the account information may have included names, email addresses, telephone numbers, dates of birth, encrypted passwords and, in some cases, encrypted or unencrypted security questions and answers. Yahoo will contact […]
iOS Users Urged to Update Software After Security Flaws Are Found
To the FIT Community: Apple has announced vulnerabilities on the iPad and iPhone that allows an attacker to take full control of your device, including turning on your microphone and camera and/or recording all your keystrokes. The attack is delivered by sending you a specially designed text that includes a link: If you click on […]