IT Security and Compliance

Introduction from Fred Smith, AVP/Chief Information Security Officer

Email is an essential part of our everyday communications. It is also one of the most common methods that hackers use to attempt to gain access to sensitive information. "Phishing" is basically someone trying to get you to do something or tell them something through email that enables them to compromise you in some way.

More than 90 percent of data breaches start with a phishing attack. Phishing uses fraudulent email messages designed to impersonate a legitimate person or organization and trick the recipient into downloading harmful attachments or divulging sensitive information, such as passwords, bank account numbers, and Social Security numbers.

CITS will never ask you to put your password into an email message, but scammers will. Do not share your password with others.

To protect yourself as you read email and surf the web, you need to know where links are going to take you, compared to where you expect to go, because links and their associated addresses can be misleading.

Please read “Take a Closer Look Before You Click!” regarding malicious links and attempts at tricking you into divulging your UMB credentials (link below).

TikTok and Other Apps that Collect User Data 

We continue to monitor legislation of federal and state rules and security concerns regarding TikTok and other similar applications. We are also receiving guidance from NIST and the Educause information security council regarding activities and controls related to TikTok, etc. across higher education institutions.


The security risks associated with using applications that collect sensitive personal information include:


  • Privacy concerns - TikTok collects a significant amount of personal data, including user’s location, biometric data, and browsing history, which could potentially be misused by the company or malicious actors.
  • Data sharing with China - TikTok is a Chinese-owned app, and there are concerns that user data could be shared with the Chinese government.
  • Misinformation - TikTok has been accused of spreading false and misleading information.
  • Cybersecurity risks - TikTok has been found to have vulnerabilities in the past, which could potentially be exploited by cybercriminals to steal user data or spread malware.
  • Keystroke monitoring - TikTok has the ability to access some device-level information, including keyboard input, through the permissions it requests when the app is installed.


It is important that we exercise caution when it comes to the use of applications like TikTok within our academic community. As we continue to monitor legislative developments and expert guidance, we remain committed in our dedication to safeguarding the personal data and security of our students and staff. We all play a part in upholding responsible computing practices and ensuring the protection of sensitive personal and university information.  Thank you for your cooperation and dedication to this important issue.



Tips to Help Keep UMB's Computer Network Safe! 

CITS reminds us of the following:

  • Don’t click on unknown attachments.
  • Carefully examine links in emails before clicking on them. You can examine where that link goes by putting your cursor over the link without clicking. Your browser will show you the link address. Don’t click on it if it doesn’t go where you are expecting it to go.
  • Don’t put too much information (personal or business) on social media sites.
  • Don’t believe every email that is sent to you. Delete messages that look suspicious or are sent from people you don’t know.
  • Make passwords hard to guess and easy to remember.
  • Don’t visit inappropriate websites.
  • When in doubt … pause … think … and then connect.
  • And remember, you should never share your password with others or send passwords via email, and that University IT staff will never ask for your password.

Take a Closer Look Before You Click! 

To protect yourself as you read email and surf the web, you need to know where links are going to take you, compared to where you expect to go, because links and their associated addresses can be misleading. Email sent by phishers and hackers may contain links that look like they go to familiar, expected locations — but not quite. Do you know how to tell an authentic link from a fake?

You may see "Click here" in an email message. You can examine where that link goes by putting your cursor over the link without clicking — try it. Your browser will show you the link address. Does it go where you are expecting it to go? It also is possible for the destination webpage to send you off to another page, so you should check at the top of your browser for the actual web address of the page you are viewing. 

Instead of a “Click Here” you may see an actual link like this in an email message,, but just like the "Click Here" link, that address link actually might go someplace else. Put your cursor over the link without clicking, and your browser will show you where it will really send you. Does it go where you want to go?

Web page addresses have this general format:


Notice the punctuation around the website name:

  • :// - immediately before the website name
  • / - immediately after the website name

Any valid website at UMB will end with "" and be located immediately after the double slashes and before the first single slash. 

These links look the same, but are they?

If you put your cursor over a link without clicking on it, your browser will generally display the address that the link really goes to, regardless of what the text under your cursor actually says. 

You need to be on guard against attempts to fool you into thinking it is at a safe, familiar site instead of a criminal or hacked site. The essential rule is: The real hostname always appears immediately after the double slashes and before the FIRST single slash. Hackers may build a web page address with a familiar hostname before the SECOND single slash in an attempt to get you to believe their malicious site is familiar. If you see "" anywhere else in the whole address, it may be a distractor to make you think you are going to a UMB webpage when you are not. 

http(s)://website name/file/path/filename.ext?parameters

Hovering before clicking and checking for a familiar hostname in the correct position will save you from a great many scams and tricks offered in your email and on the web.

If you see "" anywhere else in the whole address, it may be a distractor to make you think you are going to a UMB webpage when you are not. 

This same rule holds true if you are expecting a web page on any other website that you may be familiar with. If you are expecting to go to PayPal, Amazon, Gmail, etc., always look for that familiar website name immediately before the first single slash.

An Actual Phishing Email Example

From: Email Administrator <Email>

Subject: Warning !!!

Date: February 10, 2015 4:04:13 PM EST

To: undisclosed-recipients:;

Bcc: <>

Reply-To: <>

Dear User,

We have received many negative complaints against your email address that it is being used by spammers to promote spam remotely. We wish to notify you that we will temporarily lock down all emails sent from your address and reject them until we successfully verify that this email is under ownership of the authentic user and not by some bot.

So, if you are reading this then an important action is required by you to save your email from being flagged and to avoid further
discontinuation of your outgoing email service. Please click here to authenticate the ownership of your account and "Click here"

Copyright © 2015 Email Security Team. All Rights Reserved

  • Hover over the From: address — it’s not from anyone at UMB
  • Look at and hover over the Reply-To: — it doesn’t belong to anyone at UMB
  • Hover over the “Click Here” — it’s taking you to a site outside of UMB; it doesn’t have anywhere in the link
  • If you receive an email that has that has any of these characteristics, DELETE it.

Legitimate Email Example

The password for your UMID account will expire on 1/13/2015 10:06:12 AM.

This is the password used to access all UMID authenticated applications, such as the myUMB Portal, eUMB Systems, COEUS, Effort Reporting, SURFS, Blackboard, Google Apps @UMaryland, myUMB Mail, Campus Wireless (eduROAM), Library Resources, and Mediasite.

If you do not change your password, your password will expire and you will lose access to all UMID Authenticated Systems/Applications.

To reset your password, go to the Account Management Site ( and log in with your UMID and current Password. Click on the "Password" link on the left side of the screen to enter a new password.

If you do not remember your UMID or password, click on the "I cannot log into UM Account" link.

If you have any questions or the system does not accept the answer you are entering for your verification, please contact the IT Help Desk at 410-706-4357 (x6-HELP) or


IT Help Desk
Center for Information Technology Services (CITS)
University of Maryland, Baltimore
601 W. Lombard Street, Room 540
Baltimore, MD 21201
410 706-4357 (x6-HELP)

  • This email passes all of our checks to verify links and addresses.
  • Don’t trust that just because it has the campus branding that it is legitimate — that is easily copied and can be added to more sophisticated email phishing attempts. Just remember to take a closer look, hover, and check all links before clicking through.

Email Scams 


Jobs that sound too good to be true should raise a red flag for any college student. Fake job postings abound in unsolicited emails sent to your student account and in online job listing sites.

Fake jobs can be attempts to steal personal information or steal money or bank account information from you. You also could get entangled in criminal activity, so be cautious.

Here are some tips to help you identify fake jobs. You should always carefully research the legitimacy of employers before applying.


  • Mystery shoppers
  • Envelope stuffing from home
  • Repackaging or shipping from home
  • Issuing checks/check processing from home
  • Model/talent agencies
  • Pyramid sales schemes
  • A variety of scams in which a student is asked to pay for certification, training materials, or equipment with promise of reimbursement


Watch out for overpayment scams. These are often posted as a bookkeeper, personal assistant, administrative assistant, etc., to assist in processing checks or mystery/secret shoppers. The “company” sends a check to the “assistant” (student), who is then responsible for taking their “salary” out of the check and wiring the remainder of the money back to the “company.” These checks are fraudulent and can leave you out thousands of dollars and facing criminal charges.


  • Does not indicate the company name
  • Comes from an email address that doesn’t match the company name
  • Does not give the employer contact information — title of person sending the email, company address, phone number, etc.
  • Offers to pay a large amount for almost no work
  • Offers you a job without ever interacting with you
  • Asks you to pay an application fee
  • Wants you to transfer money from one account to another
  • Offers to send you a check before you do any work
  • Asks you to give your credit card or bank account numbers
  • Asks for copies of personal documents
  • Says you must send payment by wire service or courier
  • Offers you a large payment for allowing the use of your bank account — often for depositing checks or transferring money
  • Sends you an unexpectedly large check

No legitimate employer will send payment in advance and ask the employee to send a portion of it back. DO NOT provide any personal information, especially Social Security numbers or financial information! 


The following job posting was rejected by the Student Employment Program Job Board:

"Agile and Responsible individual is needed to fill the vacant position of a Personal Assistant (Part time) Someone who can offer these services: *Mail services (Receive mails and drop them off at UPS) *Shop for Gifts *Sit for delivery (at your home) or pick items up at nearby post office at your convenience. (You will be notified when delivery would be made)."

A student notified the Student Employment Program that she received the following email:

"If you are resourceful, organized, good with paperwork and honest, you can make three hundred dollars ($300) a week, as a business assistant. This flexible but formal position would only take at most two hours of your time daily, or even less, depending on your work-speed. You would be needed Mondays through Fridays, but the job’s flexibility lies in the fact that your duties are clear-cut and would take little of your time to be executed daily. Kindly get back to me ASAP if you are interested and wish to know more about this opportunity."

Another student received an email offering them a "New, interesting, and respectable job" as a typist.

A recent actual email to UMB students:

Dear The University of Maryland, Baltimore Students...

At Market Force Information Company. Get paid $185- $250 Twice a week and we offer Survey Evaluation Services to various shopping outlets and Organizations. We want all Survey  Evaluation to take complete pride in their work, writing intelligent surveys that are clear, honest and observant.

The information collected by Market Force Information  Compliance Services reaches clients, but will always conceal individual identity. Survey results are aggregated by combining responses with those provided by other participants who have also completed the online survey. This data is stored in a database that can be analyzed by clients, but personal data will never be revealed, sold or traded without your permission.

You are providing input for the development of a product or service.

Market Force Information Compliance Services Is one of the most popular paid survey panels in  America. My survey provides a variety of interesting surveys, including product reviews, service reviews buyers opinion, general opinion, Survey Evaluation just to name a few. Find below Job description (available survey).\The recruitment is restricted to US and Canada residents only.


Survey Evaluation services are to be carried out in your location in which you will carry out a survey on the performance and effectiveness of the stores with which you will be directed to carry out a Survey Evaluation on and we would like you to become our Survey Evaluation. Salary/Wage: - $185-$250 per survey assignment.

Your employment packet includes businesses/stores evaluation (Macy-Stores, Banks, Wal-Mart, CVS, McDonald's, Best Buy and many more). Assignment instructions will be sent to you via email after you must have received the payment for the Survey assignment.

Payment for the assignment/wages would be sent to you by Certified Check. No experience required and no upfront payment needed from you (Application is Free).

If you would like to be considered for this survey assignment, please fill out the application below and kindly send the requested details to the email above.

    Current Address:
    Zip Code:
    Home Phone:
    Cell Phone:
    Alternative email address:
    Preferred Time to Call:
    Occupation: none
    Can you check email at least twice daily?


If you feel that you’ve been the victim of a scam, please contact the UMB Police Department at 410-706-6882.



  • To find out if the job and the company are legitimate
  • To gather information to help you determine whether the company or job is a good fit for you
  • To find data to help you write targeted résumés and cover letters
  • To find facts to help you answer interview questions such as: Why do you want to work for this company?


If the organization in question doesn’t have a website or the website doesn’t seem to match the advertised job, there may be cause for concern. Note the professionalism of the website. Is there specific contact information? Are jobs and career information actually posted on the site? Lack of pertinent information is a red flag.


Do you have any connections to help you find inside information? If you belong to a professional association, they may be able to put you in touch with people who can advise you. Search LinkedIn by “People” and the advanced search fields for “Company Name.” Click the “Current Companies Only” checkbox to receive information on people currently listed as employed by this company.


Search by the name of the organization to gather information and recent news. You also can search by “scam” to look for signs the company has been reported in any type of fraudulent activity.


Two organizations to utilize are the Better Business Bureau and the Federal Trade Commission to see if any complaints have been lodged against the company.


If you aren’t sure a company is legitimate, request a list of employees or contractors. Then contact the references to see how satisfied they are. If a company isn’t willing to share references (names, email addresses, and phone numbers), this is a red flag. You may want to research the references a bit, as well, to be sure they are legitimate.


Be careful when an employer cannot communicate accurately or effectively on the website, by email, over the telephone, etc. If communications are sloppy, how professional is the organization?


Most legitimate employers will not charge to hire you! Don’t send money for work-at-home directories, advice on getting hired, company information, or for anything else related to the job. There are some well-known internship programs that do require payment to place you in internships, but check with your department’s internship coordinator to determine if the program is legitimate.


When information about salary isn’t listed on a job posting, try to find out if you will receive a salary or be paid on commission. Find out how much you’re paid, how often you are paid, and how you are paid. If the company doesn’t pay an hourly rate or a salary, be cautious and investigate further.


Read all information carefully. If the opportunity sounds too good to be true, it probably is! Just because a job lead appears in a legitimate publication, it doesn’t mean that the job or company is necessarily legitimate. Forget about getting rich quick.


Federal Trade Commission Video About Job Scams

Cyber Attacks and Ransomware 

What is ransomware?

Ransomware is vicious malware that prevents a user from accessing their files by encrypting them. Ransomware typically arrives on the affected computer through spam emails or executed via malicious ads or compromised websites, but more recently ransomware has been known to start from a malicious email attachment. Once the ransomware is executed on the compromised computer, it encrypts files on the user’s computer and any mapped network drives and even connected cloud storage such as Dropbox, OneDrive, Google Drive, etc.

Ransomware was designed to prevent the user from accessing their files and force them to pay the attacker a fee to regain access. Once the files are encrypted, ransomware displays a text document or HTML page with a message informing the user that their files have been encrypted and gives instructions on how to obtain the decryption key needed to unlock the files. This message also may warn users that the decryption key will be deleted after a certain time period to pressure the user into paying sooner. The message also contains a link to a website where the user can make the payment. Even if the user pays the ransom, there’s no guarantee that the attacker will provide the decryption key needed to unlock their files.

What can I do to protect my data?

  • The best way to protect yourself and the organization from ransomware is to limit your online activity to business-related sites only.
  • NEVER click on links or open attachments in emails you were not expecting.
  • Minimize the amount of data that is stored locally on your computer. Data stored locally is NOT backed up by your IT support group. If you do need to store data locally, it should only be personal in nature and it is your responsibility to ensure personal files are regularly backed up to an alternate storage location.

What should I do if I suspect I was a victim of ransomware?

If you suspect your computer may be impacted by ransomware, contact your local IT support group immediately so we can assist with containment of the malware and any recovery operations that might be possible.

Campus IT Security Updates

If you would like to receive campus related IT Security Updates, please contact Fred Smith.