This Week in Breaches: University of Virginia

Nowadays cyber-attacks are more aggressive and more sophisticated, making it even harder for companies and institutions to catch up and keep up with the evolving technology. But sometimes, a common email scam is all takes to infiltrate your security environment.

On January 22, 2016, the University of Virginia reported that the FBI had informed the school that they had been breached through an email phishing attack.  The attack targeted the school’s HR department and exposed personal information of approximately 1,400 employees.  This information included W-2s (US equivalent to a T-4), and the direct banking information of 40 employees. The breach took place between November 2014 and February 2015.

This phishing attack had requested usernames and passwords to the HR system and unfortunately, one or more employees fell for the scheme. While the University of Virginia has upgraded systems, and implemented a security strategy, this was still a result of human error, and could easily happen again. Training your employees to be on alert for scams, is an extremely important task.

A phishing attack can consist of an emails, phone calls or even pop-ups on websites. It can be as simple as requesting username and passwords, or more sophisticated by convincing you to download a file that will actually install malicious software or steal private information off your computer. Listed below are common indicators of a potential phishing attack:

Threats: If you receive any emails/messages that have any threatening actions, like your account will close if you don’t click this link, be wary. Very rarely, if ever, will a legitimate company use a tactic like a threat to a customer. Ironically, the threat is usually that your security system has been compromised. Installing a firewall and antivirus software (ensure to update regularly) will help eliminate the chances of this.

Links in emails: If you see a link in a message/email that looks suspicious, do not click on it, we repeat DO NOT CLICK. Instead hover your mouse over the link to see if what pops up, matches what is written. The real link will show up in the pop-up. Anyone can create a hyperlink that can actually look just like a company’s website.

link image
[i] Image retrieved from Microsoft

Unsolicited Calls: It is highly unlikely that a company would ever cold call you unprompted, trying to help you fix a security issue or sell you software. So instantly be on alert if you receive a call like this, and do not offer any personal information. If a caller is requesting usernames or passwords, and especially financial information, a good practice would be to end the call, and contact the company’s IT department yourself.


Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact your Secure Sense by calling 866-999-7506. Follow us on LinkedIn and follow us on Twitter @Securesense for current company and industry news.