Security Recommendations

Koch Institute Technology Services is advising the community to please be aware of some steps that can help protect you from security threats and to be vigilant when it comes to checking the source of any request that seems suspicious to you.  If you are interested in learning more about how to protect your information here at MIT, you can visit the IS&T Security Information Protection page here.   

It is important to note that neither KITS nor IS&T will ever ask for your password or send an unprompted email to you with a direct link to reset your password, and you should never share your account credentials via voice or text with anyone.  In cases like this, if it looks suspicious, it almost certainly is and we do ask that you forward these to ki-help@mit.edu and phishing@mit.edu as an attachment so we can follow up with the IS&T Security Team.

The MIT Community is a popular target for scammers and phishing attempts, and our attackers have several strategies they employ to try and trick recipients.  These may include downloading malicious attachments, clicking links that advise you to change your password through fake login pages, requesting your password via plain text or phone, or pretending to be from IS&T’s Service Desk, Microsoft Support, Google Support, or Apple Support via email or phone in an attempt to work with you via remote session and gain access to your computer.  

One of the most common scams involves the tactic of social engineering, where the attacker pretends to have your personal information or be someone you have a relationship with so they can manipulate and influence you to fall into their trap.  Here at MIT, the source of many of these attempts may appear to involve department heads, deans, faculty, administrative officers, IS&T, lab managers, or vendors the department may or may not have a relationship with (Amazon, UPS, and FedEx are incredibly common, for example).  The MIT organizational structure is publicly available, and it’s very easy for these networks of scammers to gain access to that data so they can target large groups of people with information relevant to them.  

The goal is generally financial in nature, commonly asking you to purchase gift cards and then send pictures of these to the attacker.  Some examples of these common email scams can be found here, and IS&T also maintains a site with pictures of scams that have been sent to them here. 

All of that said, there are some things you can do to help protect yourself and prevent these rogue actors from compromising your accounts or your devices.  If it looks suspicious, it very likely is, and it is best to be certain.

• Suspicious Links - Never click on a link or download an attachment in an email you were not expecting, even if it is from someone you know and trust.  Best to check with that person in a separate email to confirm that it is, in fact, genuine.

• Confirm the Sender - Make sure you confirm the sender’s email address before responding to them.  If it did not come from an MIT email address, it would be wise to follow up in a separate email to that person’s MIT address to confirm it is legitimate.  Spoofing legitimate email addresses is a very easy and common tactic, so again, please make sure you follow up in a separate email instead of replying directly to the original.  

• Password Managers - IS&T has licensed LastPass for the MIT Community, and we strongly recommend the use of that, Apple’s, or Google’s built-in password vaults to maintain account security.  For the best protection, please consider using auto-generated strong passwords suggested by these apps.

• Check Your Accounts - There have been quite a few data breaches over the past few years, and your accounts may have been affected by one or more of these.  We strongly recommend the use of the password managers mentioned above, many of which allow for automated resets of breached accounts with suggested strong passwords.  Alternately, you can check to see if your accounts have been compromised here.