Q&A

Tips on protecting personal information

Published September 5, 2019

Catherine Ullman.

Catherine J. Ullman

Security analyst Catherine J. Ullman says she wears many hats.

As senior information security analyst for UB’s Information Security Office, she is in a unique position to help the campus community — faculty, staff and students — protect themselves against security threats and sensitive data that if breached, could lead to longstanding financial trouble.

But she is the first to suggest that establishing her credentials takes some explanation.

“I help respond to phishing attempts, compromised accounts and machines, and other threats reported by the UB community and outside organizations to our office via email at abuse@buffalo.edu,” says Ullman.

She also conducts forensic analysis on compromised devices potentially containing restricted data — information like SSNs, drivers’ license numbers, bank or financial account numbers — as part of a program designed to keep UB in compliance with applicable federal, state, SUNY, and university data regulations.

There’s more. She also works on UB’s security awareness program. “Our office partners with the university community to educate them about computer security and help keep them safe from internet criminals,” she says.

“We also work with law enforcement agencies like the FBI and University Police when information is requested or when an investigation involves the university.”

If anyone at UB knows how to defend against intrusion from electronic criminals, it’s Ullman. She talks with UBNow about how best to guard against scams from electronic criminals, the resulting consequences from these security breaches, and what to do when they do happen.

What do you feel is the biggest security threat to the educational business sector?

Probably a combination of phishing and theft of intellectual property. Intellectual property, like the research that we do as a major research university, is at risk of being stolen by other countries.

The FBI cautions U.S. universities to develop procedures for monitoring students and scholars from Chinese state-affiliated research institutions. There is growing suspicion that the Chinese government is engaged in espionage of American higher education, according to the article, with the aim of stealing data and intellectual property.

Many students are new to UB. What should they be doing to protect their restricted or private data?

Students should keep track of their personal identifiable information, and avoid giving it out when it’s not needed. If someone, or some form on a website, is asking for your Social Security number, for example, ask whether it’s absolutely necessary before providing it.

Utilize two-factor authentication wherever possible to protect accounts. Don’t ever put that personal identifiable information on social media, or send it through email. It’s also a wise idea to make sure that you are monitoring your credit by obtaining a credit report from each of the four credit agencies — Experian, TransUnion, Equifax and Innovis — once a year, which is free. More information on the big three and on Innovis can be found online.

For those who have already become a victim of a breach, what steps should they be taking to now protect themselves?

The answer to this question will depend greatly on what was breached. Passwords should be changed if an account was compromised and should be significantly long/different for any accounts of significant value (i.e. related to money, medical information or school). If it’s an identity theft issue, follow the instructions provided by the Federal Trade Commission.

There have been several stories of students who, after a breach at their school, received fraudulent invoices from their school and have paid them. How do you recognize these fraudulent invoices and what do you do if you receive one? Is there a reporting process they should follow?

Fraudulent invoices are just another form of phishing with the attempt to commit fraud.  Understanding how to recognize a phish is really the only suggestion I can offer here.

Be skeptical and suspicious of any email that comes in asking for money or credentials.  The reporting process, if you haven’t already fallen for it, is going to depend on a number of factors. UB has a specific process we ask our community members to follow for reporting that kind of thing.

But if students receive a suspicious email in a personal account, there’s not necessarily anything we can do for them. They’ll have to report it to their internet service provider. The important thing is to make sure they obtain the email headers to send along with the message.

However, if they’ve actually been a victim of fraud, they’re also going to have to report it to law enforcement in some capacity. Here’s what we recommend to our students:

  • If you think you fell for a scam, protect yourself by stopping any further communication.
  • Change any passwords on accounts that were involved in the scam.
  • Contact any financial institutions involved.
  • Make a report to your local law enforcement agency.  If you are a member of the UB community, contact University Police.
  • File a complaint at the Internet Crime Complaint Center (IC3). The criminal may threaten you or use your identity for another scam.