A new wave of cybersecurity risks is threatening the NAU community’s personal, academic and professional lives.
A new AI-based phone scam is being reported at NAU in increasingly large numbers, and ITS is encouraging the NAU community to be aware of this threat so they can identify the warning signs and respond appropriately before being scammed.
These attacks use AI to clone an individual’s voice from a short audio clip of an individual speaking. These audio clips can be garnered from content posted publicly online such as on YouTube, TikTok or Instagram, or by recording the individual while having them respond to questions on a fake call. NAU is monitoring a recent rise in malicious phone calls around campus.
These phone-based AI scams may take multiple forms and present a danger to you and those around you, who may receive calls and think you are in danger or in need of help. These scams normally use pressure tactics such as urgency, desperation, fear, punishment or financial repercussions if you do not act immediately. If you believe at any point during a call that you are not actually talking to the person who identified themselves, hang up and call them back on a number that you know, or the main number listed on their official website if you are interacting with a business. Never call the person or company back from a number that they provide over the phone or via email.
How is NAU affected?
NAU sees many forms of phishing and email attacks targeting both students and employees. Every year at this time, we see an elevated number of job-related, W-2 and tax scams, as well as other time-sensitive scams seeking personal information and threatening financial repercussions.
People fall victim to these scams for a number of reasons. Many individuals do not believe they personally have anything to lose, are too busy or too stressed to recognize the warning signs or feel scared and pressured into responding to the malicious entity. If a malicious entity accesses your account, an attacker can possibly access your personal data, steal your paycheck, access your bank account, attack other systems impersonating you, and steal the personal information of students and other staff members at the university. Because of the danger presented by responding to these types of scams by clicking on false links, replying to attackers or providing information to a malicious entity, NAU must take a strong stance and suspend your NAU account immediately to protect you, as well as the rest of the campus community.
In December, more than 257,000 malicious, phishing or threatening emails were blocked or removed from NAU email accounts. Last year, 318 campus community members had their passwords secured after responding to malicious entities, and 358 individuals were required to reset their Two-Step Verification after allowing a malicious or unauthorized entity into their NAU account. This represents only a small portion of threats that the university faces daily.
At this time, approximately 10 percent of campus community members do not successfully decipher phishing emails and, with the rise of Artificial Intelligence (AI), attacks are rapidly evolving and putting you at even more risk. While NAU is constantly working on improving our security practices, introducing new security features and updating policies to better protect both you as an individual and the campus community, your vigilance is our greatest defense.
Some of the most prolific cyber threats that plague our campus include:
- Phishing and social engineering: Deceptive attempts to manipulate individuals into revealing confidential or sensitive information through fake emails, phone calls, text messages and in-person communication.
- Two-Step/Multi-Factor Authentication (MFA)/DUO Spamming: Attempts to bombard or overwhelm an individual with MFA notifications, causing fatigue and ultimately an MFA prompt approval.
- Malware and ransomware: Malicious software attacks that infect systems stealing information, slowing down systems, or locking files until a ransom is paid.
- AI phone scams/deepfakes: Automated calls using artificial intelligence to impersonate real people or organizations.
- Zero-day exploits: Vulnerabilities in software and operating systems that may allow malicious entities the remote ability to install malware, steal data or otherwise disrupt the operation of a system.
Accounts compromised by one of these phishing attacks can be leveraged by malicious entities to attack more individuals across campus and the university system.
Top 11 recommendations to improve cybersecurity:
- Password strength and reuse: STOP reusing passwords or password patterns across multiple sites or applications, especially for financial institutions. The reuse of passwords and password patterns significantly decreases the security of any account. It is highly recommended that all individuals consider the use of a password manager to store unique passwords and avoid reutilization of passwords. Do not use weak passwords that rely on knowledge-based information, such as names of your pets, hometowns or graduation years. Longer passwords will remain more secure over time.
- Two-Step and Multifactor Authentication (MFA): MFA is like having a deadbolt on your front door. Enable it on all accounts that support it.
- Apply updates: WUpdates are critical for your safety and security. No person, company or entity is perfect, so why would your software be? Updates are deployed because the software isn’t perfect, but we can make our systems better and more secure by running the most up-to-date systems.
- Don’t use debit cards for online shopping: Debit cards are a great convenience to much of the world, including attackers. As debit cards pull from available funds in accounts, there is inherent risk if an online retailer is ever compromised. Although many debit cards are backed with either zero liability or limited liability for prompt reporters, most will not cover overdraft charges, and it may take several days to recuperate any funds that were originally in the account.
- Phone numbers: Guard your phone number like a secret code. Avoid sharing it in emails or phone calls, especially if they seem suspicious. Instead of responding to unsolicited requests, look up official contact numbers from the company or organization’s official website. This ensures you are contacting the right people and not falling into a phone-based trap set by scammers.
- Report suspicious calls and emails: Be a digital detective. If you receive a call or email that smells phishy, report it. Your instincts are your best weapon against scams.
- Do not open unrequested documents: Treat unsolicited documents like mystery packages. If you didn’t ask for them, don’t open them. Attachments and links in unexpected emails might be a Pandora’s box, releasing malware or phishing attempts. Stay safe by only opening files from trusted sources.
- Use ad blockers: Ad blockers act as your personal bouncer, keeping malicious ads at bay. By blocking pop-ups and potential threats, they add an extra layer of protection while you surf the web.
- Be careful what you post publicly: Think of your online posts like a megaphone in a crowded square. Whatever you say is heard by many, including those with ill intentions. Be mindful of sharing personal details, travel plans or financial information publicly. Be cautious about filling out the fun online quizzes that might reveal personal information like the year you graduated from high school, your first vehicle, where you grew up, your favorite color and more, as these questions can be used for many account recovery questions or security questions elsewhere.
- Remove personally identifiable information from the Internet: Think of personal information online like gold. Minimize the treasure map for cyber pirates by removing unnecessary personal details. Check your social media profiles and other online accounts to ensure you’re not unintentionally broadcasting sensitive information.
- Do your research: Before diving into the digital deep end, play detective. Research websites, products or offers before engaging. Check reviews, look for red flags, make informed decisions and if it sounds too good to be true, it likely is. It’s like navigating a new city–know where you’re going before walking out the door.