Amid the flurry of scams arriving in your email in the new few weeks, you'll probably see some familiar senders: HRSresources@iastate.edu has important news about your salary increase and ITdepartment@iastate.edu is fretting over your "exceeded" mailbox.
These scammers and their imitators are mostly after one thing: Access to your AccessPlus.
With entrée to your personal ISU information, information security officer Andy Weisskopf said, the scammers can do two very nasty things:
- Redirect your direct deposit salary checks to another bank
- Nab your W2 and Social Security number, file a fake tax return and collect the refund before you've even started your paperwork
Such crimes are increasingly directed at universities around the country, and in the past couple of years, they've hit close to home. A year ago, thieves gained access to several University of Iowa employees' personal information and changed their direct deposit information, Weisskopf said. Last February, a number of University of Northern Iowa employees discovered that fake tax returns had been filed under their names.
Universities appear to be more vulnerable to these attacks because of their open technological culture, Weisskopf said. To support research and education, universities provide a lot of information about their technology environments as well as global access to information. For example, unlike private companies, scammers can easily find email addresses for university employees.
Protect your AccessPlus credentials
"What that means is we have to be more careful," Weisskopf said. "There's more responsibility on individual employees to protect their credentials."
"This is a time of year to be especially mindful of your AccessPlus account," he added. "Many phishing attempts will occur in the next few weeks. When the W2s come out in January, scammers want to be ready to grab them and fast-file fake tax returns."
Weisskopf offers these tips for protecting your AccessPlus information:
- If you don't have a good, hard-to-guess password for AccessPlus, get one
- Don't share your AccessPlus password with others
- Don't use the same password for your Net-ID and AccessPlus accounts
- Don't click on email links that purport to go to AccessPlus. Legitimate Iowa State emails should not contain direct links to AccessPlus.
Information technology services staff are looking into others ways to strengthen AccessPlus security, Weisskopf said. One system under review sends automated phone calls to individuals when their AccessPlus accounts are accessed.
