HR Update December 9th
To keep communication as clear as possible, and archive it for later use, the Office of Human Resources will be sending out updates using this format.
If you have information that you would like to disseminate to all employees, please send that to email@example.com and we will coordinate adding the information to a future HR update.
For now, we would ask that you limit any mass communications to avoid confusion.
Special gift on its way to your home address
With the cancellation of so many of our campus celebrations, please watch your home mailbox for a card with a special gift for all employees who are half-time or greater. This is not a piece of mail you'll want to discard!
Swenson Center virtual advent calendar
The staff at the Swenson Center has been busy putting together our own virtual advent calendar full of fun surprises! Visit our website every day from December 1 to December 24 for a daily gift—a peek into our archives, a Swedish craft project, a special recipe, and many other special holiday treats.
Recently several students have fallen victim to email phishing scammers who target college campuses. These particular scams looked to be sent from a familiar source or a member of the Augustana community. The sender claimed to have a job perfect for students - flexible hours, high pay, close location or work-from-home. In the end, the victims provided personal banking information allowing the criminals access to their personal funds.
Email phishing is the #1 cause of cyber-fraud and ransomware attacks. As all of us navigate through these unusual times, we must remain hypervigilant for potential cyber-crime and fraud.
If a message sounds too good to be true, especially if offering money, it probably is.
If you don’t know the sender and they are requesting action - send an Itunes card, a meeting, or even “click here” - double-check with the alleged sender before responding
Always review the “From:” field or sender’s email address. Many fraudulent emails are sent from accounts that look very close to legitimate Augustana addresses but differ in obvious ways under closer scrutiny. Additionally, real email addresses can be “spoofed” (made to look exactly like a legitimate email account) or stolen from the actual owner. Exercise extra caution if you have any doubts about the message’s origin.
Below is more detailed information about phishing and how to protect yourself and Augustana from cyber-crime. Working together, we can protect ourselves and each other.
Assistant Vice President and Chief Information Officer
Information Technology Services
639 38th St. Rock Island, Illinois 61201
1. Phishing Explained
Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. A common example of this is the Office 365 phishing attack: A hacker sends an email that appears to come from Microsoft asking the user to log in to their Office 365 account. When the user clicks on the link in the email, it takes them to a fake Office 365 login page, where their credentials are harvested. With Microsoft branding and logos both in the email and on the phishing page, an untrained user will not recognize the email as a phishing attempt.
2. Email Addresses Can Be Spoofed
Never trust an email-based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate when the email is really coming from a malicious source. The most common types of spoofing are display name spoofing and cousin domains. With display name spoofing, the phisher uses a legitimate company name as the email sender, such as firstname.lastname@example.org, but the email underneath is a random address like email@example.com. Display name spoofing is most effective when a user views the email on a mobile device because the sender’s email address is hidden. Phishers are counting on the fact that most mobile users will not expand the sender’s name to view the email address.
A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an Apple.com email, the hacker might use Apple.co. In other cases, hackers will use extensions to trick users. Some examples include apple-support.org, apple-logins.net, and apple-securities.com. We’re also seeing an increase in lengthy, confusing subdomains, such as firstname.lastname@example.org.
3. Subject Lines and Emails Often Include Enticing or Threatening Language
Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond to emails that indicate potential financial loss or that could result in personal or financial gain.
Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should be considered a potential scam. This technique is often used to scare people into giving up confidential information. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.
In some spear-phishing attacks, personalized emails from purported colleagues are designed to evoke fear of consequences at work. A classic example of this is an urgent email from the President requesting gift cards or a wire transfer. Receiving such a request from a top administrator creates pressure for the employee and makes them more likely to respond quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an HR employee into changing direct deposit information.
4. Attacks Are Becoming More Targeted—and Personal
Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. The emails would often address a user with a generic term like “student,” “employee,” or “faculty.” You should be cautious of these terms because most organizations and institutions commonly address users by their first name in an email, but a personalized email is not a sure sign of a legitimate email. Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage.
5. Phishing Emails Are Getting Better and Better
We all need to read our emails carefully, not just skim them. Many phishing attacks and spear-phishing attacks are launched from other countries, and although this can result in glaring grammar and stylistic issues, phishers have become more sophisticated. They have the resources to compose clean emails in their target language, and they make fewer mistakes. We should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable. In a recent Office 365 phishing page discovered by Vade Secure, there was only one discrepancy between the real Office 365 page and the phishing page: an extra space between “&” and “Cookies” in the “Privacy & Cookies” link in the footer of the phishing email.
6. Links Aren’t Always What They Seem
Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Go to Office 365 account,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure you hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.
It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org. Additionally, phishers use URL shorteners, such as Bitly, to bypass email filters and trick users, so be cautious of clicking on shortened URLs. IsItPhishing.AI can determine if a URL is legitimate or a phishing link. If you or your employees are in doubt of the legitimacy of a website, IsItPhishing can tell you.
7. Phishing Links Can Be Sent via Attachment
All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.
8. Hackers Use Real Brand Images and Logos in Phishing Emails
Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source.
Power outages in December
As building projects continue during the break, the campus is advised of the following days when power outages will occur on campus buildings. Work should be scheduled elsewhere during these times.
- December 14th & 15th – Outage on transformers 446-T-4A (Portion of Heating Plant) & 446-T-5 (Evald) will begin. This is scheduled to be a two day outage and it is to place the new transformer in service on the Augie loop. Outage to begin @ noon for Evald .
- December 15th – Outage to begin at both Pepsico and Westerlin for solar interconnection. Outages to both buildings are scheduled to start @ 08:00 am.
- December 16th – Outage to begin at Carver for solar interconnection. Outage to start @ 08:00 am
- December 17th – Outage to begin at Centennial for solar interconnection. Outage to start @ 08:00 am.
Flex card users - IMPORTANT UPDATE
Beginning January 1, 2021 our new flexible spending vendor will take over this benefit. As a result, all current cards will be deactivated as of 12/31/20 and should be destroyed. Any remaining balances will be transferred to your new card that will arrive in the mail in the very near future. Here's what you need to do:
1. Locate the yellow tristar flex card and do not use it after December 31, 2020.
2. If you use your yellow tristar flex card account for any online vendors or if it is registered with a pharmacy, you will need to provide the new information to that vendor for usage as of January 1, 2021.
3. Watch your home mailing address for your new flex card that will arrive from EBC our new flex vendor. See the picture below.
4. Any unused flexible spending dollars from 2020 will be rolled over to your new flexible spending card and the grace period will allow you to incur new expenses through March 15, 2021 and will automatically be applied to any remaining balance. Any unused 2020 flexible spending dollars after March 15, 2021 will be forfeited.
Bookstore special promotion - TODAY and TOMORROW only
Just a reminder- the bookstore will be offering an online promotion Dec. 9 and 10. Spend $100 and receive a $20 bookstore gift card. Spend $200 and receive a $50 bookstore gift card.
Goal setting and check-in meetings - December 18th deadline for non-faculty
It’s goal setting time for all non-faculty employees
Let's put 2020 behind us and start looking towards 2021 by starting the goal setting process. We understand that many conversations surrounding performance expectations and goal setting may have already taken place but now’s the time to get them into the system. This year's deadline to complete the online goal-setting process is Friday, December 18th.
To get started, log into the Performance Engagement system which can also be found on the HR website. You’ll use your Augie network credentials to access the system.
Step 1: Each employee should answer the 2020 check-in questions
Step 2: Each employee should update and/or add possible goals for the first half of 2021
Step 3: Supervisors and managers should review this information, set up a meeting for discussion and finalized goals.