Recently, there have been several reported fraudulent attempts targeting CUNY employees and executives requesting on their behalf an unauthorized change to their payroll direct deposit information. This is known as a “Payroll Diversion” scam. Fortunately, the reported fraudulent attempts were recognized and unsuccessful. While automated email protections seek to prevent fraudulent emails from getting into CUNY, regrettably there is no way to prevent them all.

Everyone’s awareness and recognition of such scams is therefore necessary, so I ask that you please incorporate and promote the following practices to protect CUNY employees and data:

Alert your workforce to these types of schemes.
Apply heightened scrutiny to requests initiated by employees seeking to update or change direct deposit credentials.
Educate personnel on appropriate preventative and reactive actions to known criminal schemes and social engineering threats.
Verify the sender’s email address, especially when using a mobile or handheld device by ensuring that the sender’s email address appears to match who it is coming from.
Be particularly suspicious of email that is flagged as having been sent from an external, non-CUNY email address
Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any email.
Direct employees to forward any suspicious requests for personal information to the information technology or human resources department.
Ensure that log-in credentials used for payroll purposes differ from those used for other purposes.
Implement two-factor authentication for access to sensitive systems and information.
Monitor employee logins that occur outside of normal business hours.
Restrict access to the Internet on systems handling sensitive information.
Only allow required processes to run on systems handling sensitive information. 

Further information about such scams can be found online and also at this site.

_________

Subject: CSI101 Cyber Security Training

As an employee at the College of Staten Island and to conform to CUNY policy, it is necessary to review security protocols in order for the College to remain in compliance. Phishing and cyber threats have become more prevalent, requiring CSI to take a more proactive approach to cyber security training.

In this regard, Information Technology and Human Resources are asking you to take the CSI101 Cyber Security Training course located in Blackboard to learn more about identity theft and cyber security. This 40-minute course was created with the CUNY audience in mind and is absolutely essential to ensuring that we keep our personal and confidential data and systems secure from online vulnerabilities and attacks. Having security awareness protects not only the College, but also your personal information, as bad actors can potentially use College data (such as passwords or contacts) obtained from accessing your account to compromise you as well as the College’s network.

You are already enrolled in the CSI101 Cyber Security Training. To access, log into Blackboard using your CUNY Login credentials (Username: Firstname.Lastname##@login.cuny.edu). You may also access the course by logging into Blackboard directly, navigating to My Organizations, and clicking on the CUNY CSI101 Cyber Security Training organization. We will continue to remind you to complete the course on an ongoing basis, if you have not yet done so. If you need assistance accessing the course, please contact helpdesk@csi.cuny.edu.

At the end of this course, you can access your certificate through the link on the left navigation panel. We are asking that you complete this course by September 15, 2022.

Thank you for your cooperation.

Information Technology and Human Resources

____

Additional Resources: Identity Theft and Cyber Security

What is identity theft?

Identity theft is a crime in which an imposter obtains such key pieces of information as a Social Security number, driver’s license number, or credit card number to obtain merchandise and services, credit, and loans in the name of the victim. The following resources addresses security awareness.

  1. CUNY Information Security Website
  2. Recommended Security Practices
  3. OUCH Free Security Awareness Newsletter
  4. Additional information is located on the Information Technology Website.

By the offices of Information Technology and Human Resources