Tax Season Safety

May 1, 2025

Happy World Password Day, Terriers!

Did you know today is World Password Day? First launched by Intel in 2013, this day reminds us all that strong, secure passwords are essential for protecting our digital lives—especially our BU accounts. Passwords are often the first line of defense against cyberattacks, so it’s a great time to check in on your password habits.

Not sure how to celebrate? Here are three quick ways to boost your BU account security today:

  • Give your security a checkup—Terrier-style Log into the Terrier Checkup App and review your dashboard to see how long you’ve had your current password. If it’s been a while, World Password Day is the perfect time for a refresh.
  • Refresh Your BU Password Thanks to self-service options, updating your BU password is faster and easier than ever—just make sure your personal email is up to date. Scroll down to ‘Helpful Links’ and click on Update My Personal Information or Reset My Password!
  • Let a password manager do the remembering for you Think of it as your digital vault. A password manager remembers your strong, unique passwords so you don’t have to—and keeps them safe, too. Read up on password managers from the National Cybersecurity Alliance.

    • And one last tip: your BU password should be unique. Avoid reusing passwords from other accounts.

    Stay secure out there—and Happy World Password Day from the BU Information Security Team!

     

    Tax Season Safety

    April 7, 2025


    As tax season approaches, it’s important to remain vigilant against phishing scams that often intensify during this time of year. Cybercriminals frequently target university communities with deceptive emails and phone calls in an effort to steal sensitive personal and financial information.

    Here are some tips on how to protect yourself:

    Be Cautious of Unexpected Tax-Related Emails

    • Scammers may send emails that appear to be from legitimate institutions like the IRS or the university, asking for personal or financial details. Always verify the source before clicking on links or opening attachments. The IRS will never initiate contact via email or text.
    • If you receive an email from a “tax agency” requesting immediate action or payment, do not respond. Legitimate organizations will not ask for sensitive information via email.
      Check the Email Address Carefully

    Look closely at the sender’s email address

    • Phishing emails may appear to come from legitimate sources but have small alterations in the domain name (e.g., “.com” instead of “.edu”).
    • If in doubt, contact the supposed sender using a trusted phone number or official website to confirm if the email is legitimate.

    Do Not Share Personal Information Over Email

    • Avoid sending sensitive information (like your social security number, bank account details, or tax ID) through email. Universities and official tax agencies never request such information via email.

    Beware of Threats or Urgent Requests

    • Scammers may create a sense of urgency, saying your tax refund is at risk or you owe back taxes. They may threaten legal consequences if you don’t act immediately.
    • Take a moment to think before responding to such messages. Contact the relevant institution directly through official channels to verify the information.

    Report Suspicious Emails

    • If you receive a suspicious email, do not open any attachments or click any links. Report it by forwarding it to abuse@bu.edu.

    Additional Resources:

    • The BUPD’s Safety Tips & Resources guide to protecting yourself from, and reporting, fraud (scroll down to the site’s “Fraud” link).
    • Visit the BU Phish Bowl for recent scams reported at BU.

    We urge you to stay aware and practice caution when dealing with tax season communications. If you are ever unsure about the legitimacy of a message, do not hesitate to verify it before taking any action.

     

     

    Be Vigilant: New MS Word Attack

    May 30th, 2022

    There is a newly discovered vulnerability in MS Word (and likely other MS Office apps) that could install malware on your computer. All faculty, students, and staff and encouraged to be especially vigilant about opening any attachments.

    Named the Follina MSDT zero-day attack, it is unlike most malware downloads. This exploit can be triggered with a hover-preview of a downloaded file that does not require any clicks (post download).

    This is a 0-day attack that sprung up out of nowhere, and there’s currently no patch available as of now. This 0-day features remote code execution (attacks that allow an attacker to remotely execute malicious code on a computer) and bad actors can elevate their own privileges and potentially gain “god mode” to your computer.

    Because this malicious code is as simple as opening up a Word doc—in preview mode, we the BU community to again, be extremely vigilant making sure you verify the sender of an email, the timelines & context (were you expecting an attachment) and stop and think. Take a moment to verify the validity of the email message can protect you until a patch is released!

    Stay safe and read more: https://www.sans.org/blog/follina-msdt-zero-day-q-a/https://www.wired.com/story/microsoft-follina-vulnerability-windows-office-365/

     

    Security Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

    April 20th, 2022

    The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

    All faculty and staff should remain vigilant in the face of this ongoing threat.

    Click here to find out more and read this advisory on the Cybersecurity & Infrastructure Security Agency’s website.

    BU Information Security

    The Spring 2022 Shred and Recycle Event

    April 8th, 2022

    Dear Faculty, Staff & Students,

    In partnership with BU Sustainability – BU Information Security is excited to host the Spring Shred & Recycle event from April 26th thru April 28, 2022. These are open to all faculty, staff, and students to safely and securely dispose of documents – especially those papers with personal or sensitive information – and hard drives. You can also recycle batteries, lightbulbs, toner, electronics and cords.

    How do I know when I can dispose of Boston University documents?
    This is a great opportunity to consult the University’s Record Retention Policy https://www.bu.edu/policies/record-retention/. This policy assists University staff responsible for the creation, storage and maintenance of records, (physical and electronic), and clearly defines how Boston University requires records are handled to ensure legal requirements are met, preserve their availability, and to destroy outdated records.

    Do some spring cleaning on your office filing cabinets, desk drawers, and dorm rooms and get ready to visit us at:

    CRC East Kenmore Parking Lot 549 Comm Ave:
    Tuesday April 26, 2022 from 10:00am-1:00pm

    CRC West Agganis Arena Parking Lot 925 Comm Ave:
    Wednesday April 27, 2022 from 10:00am-1:00pm in the parking lot behind Agganis Arena

    BUMC Talbot Green 715 Albany St:
    Thursday April 28, 2022 from 10:00am-1:00pm in front of the Talbot Building

    Take this chance to protect identities, destroy confidential data, and recycle all at the same time! There is no limit to the amount you can shred and recycle.

    You can find information on the Shredding Event, plus other helpful materials on our Information Security webpage here.

    Security Advisory: Google Chrome and Microsoft Edge release update to patch security vulnerability

    March 29th, 2022

    There is a significant flaw in Chrome (CVE-2022-1096) that was announced on Friday, March 25th and has since been featured in the news. This one has received attention because there is an exploit available for it amid higher global tensions. The bug is also in shared code that is used in Microsoft Edge, which may potentially impact a lot of browsers. Now that a patch is out, the risk is mitigated by the fact that browsers are generally configured to update themselves by default. In some cases, it may be necessary to restart the browser.

    To check your version:

    Chrome:

    Chrome needs to be updated to version 99.0.4844.84 or newer.

    To find your version for Chrome:

    1. Click on the vertical triple dot menu on the right hand side of the address bar
    2. Pick Settings
    3. On the left hand side of the page it brings you to, pick “About Chrome”
    4. If it’s not up to date, it should invite you to update it. It may be necessary to restart the browser.

    Edge:

    Edge needs to be updated to version 99.0.1150.55 or newer

    To find your version of Edge:

    1. Click on the horizontal triple dot menu on the right hand side of the address bar
    2. Pick “Help and Feedback”
    3. Pick “About Microsoft Edge”
    4. If it’s not up to date, it should invite you to update it. It may be necessary to restart the browser.

    Find more information here

    Security Advisory: Beware of Fraudulent Duo Prompts!

    March 16th, 2022

    Dear Students, Faculty, and Staff,

    We write to alert you to a new level of phishing attack that is currently being launched against Boston University and several other institutions across the country. This attack exploits some Duo multifactor authentication options. Please review this advisory carefully.

    The attacks will typically begin as an email with a generic subject, such as “An important message from BU”, containing a link which takes you to what looks like the BU WebLogin page, but upon closer inspection, does not have the correct bu.edu address, nor does it have a secure (https) connection. If a BU login name and password is entered, you are then directed to a fake Duo authentication page asking you to generate and enter a passcode. If you respond, the attacker will gain control of your account.

    Interface of the Two-step BU login: login and password in first prompt, and Duo verification passcode in center field on second.

    Here’s how you can protect yourself:

    Use Duo effectively

    • Whenever possible, use Duo Push through the mobile app – it is the most secure option.

    • NEVER authorize a prompt or call you did not initiate whether it’s through the phone or a push, click on “Deny”!

    • Never provide another person with a Duo authorization passcode.

    Look at the link

    • Before clicking on any link, verify the link by hovering over it to display the destination web address.

    • Be suspicious of any e-mail with a link that takes you directly to an authentication page.

    • Verify that any site asking for authentication via the web uses a ‘bu.edu’ address, with https://shib.bu.edu/, https://adfs.bu.edu/, and https://weblogin.bu.edu/, being the most common.

    • The URL should always start with https://. The “s” is critical – it means “secure”.

    If you clicked on a link and provided your password, or approved a Duo prompt you did not initiate:

    • Change your BU password immediately: https://weblogin.bu.edu/accounts/changepw

    • Contact the BU IT Help Center: ithelp@bu.edu or 617-353-HELP.

    Two factor authentication remains the most effective mechanism to deter the use of stolen passwords. However, there will always be bad actors looking to break through even the most robust defenses. Following the tips above will keep your account, and Boston University, secure and protected.

    BU Information Security

    Security Advisory: Shields Up Advisory & Reporting a Security Incident

    February 24th, 2022

    Dear Faculty, Students & Staff,

    As has been reported in the national news media, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a call for heightened vigilance against cyber-attacks due to recent actions of Russia related to Ukraine. Termed “Shields Up,” CISA has advised that we lower reporting thresholds and take various other steps, all of which are consistent with BU cybersecurity practices. We are actively engaged in a heightened level of threat monitoring, remediation of vulnerabilities and compromised accounts, as well as preparation to major incident handling. We have also taken steps over the past years to increase our resilience, like expanding the use of Duo multifactor authentication.

    We encourage anyone who is aware of a potential cybersecurity vulnerability or event affecting Boston University accounts, computers, or networks to report all available information. Please contact your BU IT support organization or ithelp@bu.edu any time that you think you may have observed a cybersecurity vulnerability or event. Here are some things to look for:

    • Someone else appears to have access to your accounts or devices, as evidenced by changes to your account, records, files, or email that were not made by you.

    • You can view personal information you do not think you should be able to see.

    • Your computer is behaving as if someone else has control over it, such as the cursor moving, the camera being turned on, or text being typed.

    • Someone outside of your known IT support contacts you and seeks your assistance in gaining access to your system or otherwise bypassing security controls.

    • You have found a way to circumvent a Boston University cybersecurity system.

    To report an incident, contact your organization’s IT team or contact the IT Help Center at ithelp@bu.edu or by calling 617-353-HELP (4357). For more information visit: https://www.bu.edu/tech/services/security/cyber-security/sensitive-data/reporting/.

    Thank you for your help in keeping Boston University cybersafe!

    BU Information Security

    CISA Releases Guidance on Protecting Organization-Run Social Media Accounts

    December 9th, 2021

    CISA has released Capacity Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accounts—including accounts used by federal agencies—could spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram.

    To read more click here to read the report on the Cybersecurity & Infrastructure Security Agency’s website.

    BU Information Security

    How to Back Up Your Computer

    September 29th, 2021

    When was the last time you backed up all your important documents and photos? Last month? Last year? Never? Setting up a good backup system can seem time-consuming and intimidating, but it’s neither. Anyone can do it, and everyone should. In less than 15 minutes you can have a system that backs up your files automatically—both to an external drive and to encrypted cloud storage—without any regular action from you.

    Click here to read more on the New York Time’s latest wirecutter article.

    BU Information Security