Sign In

Security Awareness

Breaking News

Help maintain your own online security – read our IT department's advice on safe use of passwords and usernames

Life today seems to involve an ever-increasing number of passwords and usernames for the various sites, accounts, and online places we all have reason or need to visit. It can be overwhelming to keep track of them all and change them at the recommended intervals – even if we do understand the reason for passwords. 

Unfortunately, breaches and attacks are all too common these days. When your data is involved in a breach, it can be released on the dark web and other foul places on the internet. Bad actors will then try combinations of usernames (often an email address) and passwords from the site they breached on other sites and platforms.

For example, say you used the same password for LinkedIn and your personal email. If they accessed your login information from a LinkedIn breach, a bad actor could then log into your Yahoo or Gmail account and begin spamming emails using your account, tricking your family, friends and even strangers.

In this month's security awareness article, Information Technology reminds us of the importance of using unique passwords and usernames for each site we visit, and to change our passwords at regular intervals.

Using unique passwords across different sites makes it harder to hack your whole digital life. For the same reason, consider using unique usernames, rather than your email address, for important accounts like banking and credit cards. If you have trouble remembering all those usernames and passwords, many free and premium password managers like Dashlane and LastPass can help you keep track of your accounts across multiple devices.

For particularly important accounts, like a social account you use to log into many places or an email account that is tied to your bank accounts, try using two-factor authenticationwhen available. Two-factor authentication requires that you confirm your identity by using something you know (a password) and a second factor other than something you have or something you are. You can also establish a customer-specific personal identification number (PIN) to help secure online access. These features are available for most banking sites and free email providers like Gmail, Microsoft, and Yahoo.

Also, pick an interval of time at which you will change your passwords, and set a reminder on your calendar. Even once a year is better than never. Sometimes breach information is not published until years after the breach. If you have already changed your password, you have limited the damage. If you are lucky, you changed your password before anyone even bought it!

If you want to check if your account info is for sale, security researcher Troy Hunt has set up a website,haveibeenpwned.com, that allows you to enter emails and usernames and check whether they appear on data breach lists.

Using unique usernames and passwords are two ways to help protect yourself in this online world in which we live. 

  • It's always phishing season; use your skepticism to avoid getting caught!

    ​You have probably heard about someone who clicked on a bad link or opened a nasty attachment in an email. You may also have heard of someone who received a letter in the mail or got a phone call offering some fantastic, "too good to miss" deal, only to be "taken to the cleaners." In this article, our IT Security team offers some guidelines and quick tips to help us avoid scammers and other bad actors.

    The good news is, you already possess the best defense to ensure you are not taken advantage of or scammed. Regardless of the medium, a healthy dose of skepticism goes a long way! If something looks or sounds too good to be true, you can bet it probably is. If you get an email telling you to immediately "click here" for a free pile of money, a free iPhone, etc., you need to pay special attention. When someone asks you for login credentials or personal information, your "scam radar" should be on full alert.

    If you have an account with an organization, it is highly doubtful they will request additional personal information through an email message. If you are unsure, use a secondary method to validate that whoever is contacting you is official.

    If you receive an email and you think there may be a valid reason for you to interact, asking a few key questions will help keep you safe. Before you click any links, read the email very carefully:

    • Are the spelling and grammar correct?
    • Does the message come from a person you know?
    • Is the email address in the same format as other confirmed messages you have received from this organization in the past?
    • When you hover over the links in the email, do you recognize the URL address? 

    If a message tells you to log into your account, you are much safer to go directly to the website by typing the known address into your browser or by using one of your bookmarks/favorites. Bad actors often purchase domain names that are very close to reputable names (think google.com versus goggle.com). Without careful reading, it is easy to be fooled.

    While email is a common method of phishing for information, bad actors use many other methods. Tax season is an especially risky time of year. Scammers will send out paper mail attempting to get you to send them tax information. They will pose as a government entity and use language to make it look as though you have issues with your taxes. Do not automatically call the number provided in a letter; use the internet to check for official phone numbers of an organization. And call the IRS if you have questions.

    Phone calls are another popular method of phishing for information. Scammers will call and try to acquire personal information, such as passwords, credit card numbers, or Social Security numbers. Our IT department, Microsoft, Google, and other reputable organizations will never call you and ask for your passwords. Similarly, banks and government agencies will never call you and ask for credit card or Social Security information.

    Remember: if it sounds too good to be true, most likely it is not true. Skepticism and critical thinking are your best defenses. So, stay safe and secure with your work and personal information!


  • Did you know – your actions can put our mission at risk!?

    We need donors – financial investors – to fulfill our mission. And while it is always a challenge to recruit new investors, keeping a loyal donor base requires something additional – it requires trust! Imagine the effect on long-time Society investors if they learned that their credit card details or cancer history were released by the Society into the wrong hands. 

    This article provides three very real life, plausible examples of recent data breaches at other organizations, and provides you tips on how to avoid making the same mistakes within our American Cancer Society. By understanding the types of information that need to be protected and by following existing processes and procedures for protecting our constituent information, you can reduce our data breach risk.

    Ransomware breach because of phishing email

    • What happened: In 2017, a nonprofit organization in Indiana (whose mission is to reduce the financial and emotional burdens of cancer and promote cancer prevention) experienced a data breach because a staff member accidentally downloaded malware. Hackers got into the nonprofit's server and held client files for ransom. When the organization refused to pay, the hackers posted on Twitter private letters that the organization sent to grieving families who lost a loved one to cancer. In addition, because of the lost files, the organization lost funding because it did not have the information it needed to apply for grants. 

    • How to prevent this at ACS: This story is not unique, but you can help to prevent a similar occurrence at ACS. To avoid being fooled by a phishing email, consider the source and be skeptical – while you may not be tricked into opening email from a stranger, consider what would you do if the phishing email appeared to be sent by a co-worker or vendor? If the request appears out of context, pick up the phone to your colleague or vendor to verify the request. 

    Unauthorized disclosure of employee personal information

    • What happened: While sophisticated, high-profile hacks make the headlines, for most nonprofits, it's the day-to-day employee activities that lead to lost or stolen data. In 2017, an Excel spreadsheet containing the personal information of YMCA employees was inadvertently sent over email to other YMCA employees (who did not have a "need to know" of the information). The employee information (which was contained in the second tab of a larger spreadsheet) included sensitive data such as Social Security numbers and salary information. 

    • How to prevent this at ACS: You can avoid this type of mistake. It is essential that you familiarize yourself with our current ACS standards for protecting categories of information and that you double check the email recipients and ensure that they authorized to view all the data included in the attachments. In addition, you should apply the "minimum necessary" standard when sending reports. Consider redacting (deleting) unnecessary excel fields before forwarding the data. 

    Vendor or supply chain data breach

    • What happened: In 2017, Hyatt hotels experienced a data breach that was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Similarly, the 2014 Target breach was caused by lax security at an HVAC vendor. 

    • How to prevent this at ACS: While you cannot always control what occurs with our vendors, you can reduce the Society's risk of a data breach by ensuring that any vendors who process or otherwise handle personal information have been vetted by our Information Security and Privacy teams, and that contract terms include provisions for notification and other assistance in the event the vendor experiences a data breach. 

    Protecting the privacy of our constituents' personal information is essential to maintaining the trust of our donors. By reading this article, you are taking the time to understand our privacy and security procedures. If you have questions about how our policies apply to you, please contact the Privacy office at privacy@cancer.org. 


  • IT offers its third Cyber Security Awareness Month article and quiz – How to work safely when not in the office

    The IT Security team wants to ensure that all volunteers know how to work safely and securely wherever they need to be to do their jobs. Travel and remote security can include working from various locations including home; a public place like a coffee shop, conference, or hospital Wi-Fi; or a hotel.

    When traveling, whether its across town or across the country, the best way to stay efficient is to maintain "situational awareness." This means paying attention to physical security and knowing exactly where your technology (phones, tablets, laptops, etc.) is in relation to your person. Laptops are most commonly stolen from cars, forgotten at airport security, or left in meeting rooms.

    What does IT recommend? Prior to traveling, review the contents of your laptop bags and remove any unnecessary documents and portable media, such as CDs, external disk drives, or thumb drives.

    Here are some additional tips to practice better physical security:

    • Lock your laptop in the trunk of your car when you are leaving, not when you arrive. Thieves often lurk in parking lots to watch who places valuables in their trunk at hotels, shopping centers, and other low surveillance areas to better target cars to break into. If you are stopping on the way to wherever you are going, prepare as you are get into your car, not when you leave it.
    • Never leave your laptop or laptop bag visible in your car (placing it on a floorboard is not secure!) – even with tinted windows. Laptops and laptop bags are magnets for thieves. A thief can easily put a small flashlight up to the window of the car to illuminate the inside, regardless of tint. If you have no alternative to leaving your laptop in your vehicle, make sure it is covered in a non-obvious way with blankets, jackets, or other common items not worth stealing.
    • If you leave your laptop unattended in a hotel room, please lock the laptop in the room's safe. If there is no safe or if the safe is too small, hide your laptop in your dirty laundry or somewhere not easily found by the cleaning staff.
    • When sitting in an airport, train station, airplane, or meeting, make sure you leave with all the items you brought in. Again, use your senses for situational awareness.

    Another aspect of working securely while on the go is how you connect to the internet. Always choose a Wi-Fi network where you must enter a password, over open public Wi-Fi. Criminals and the curious can sit in the corner of any public place (or in a car in the parking lot) and "sniff" your traffic out of the air. 

  • IT offers 10 tips for safer social media - and the second quiz is here!

    To continue its article series for Cyber Security Awareness Month, the ACS IT department would like to share some tips for staying safe while using social media. 

    Would you let a stranger look in your wallet or purse? Would you let all your friends and acquaintances have a look? These are two important questions to consider when you post information on social media sites. Although it may not be readily apparent, the information you post on Facebook or Twitter can be just as personal as what you carry in your wallet or purse.

    The Internet is a valuable tool for collaboration, communication, and entertainment. Unfortunately, many unsavory groups and individuals have figured out how to use the power of the internet not only to invade personal privacy but also as an avenue for spreading malicious and/or dangerous code. Luckily, there are some relatively easy ways of keeping yourself and your family safe. Here are 10 tips to keep in mind, for safer social media use: 

    1. Think before you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing.
    2. The internet is public and "forever" – Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, remember that once you post information online, you cannot retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people's machines.
    3. What's in your settings? – Take advantage of a site's privacy settings. The default settings for some sites may allow anyone to see your profile, but you can customize your settings to restrict access to only certain people. There is still a risk that private information could be exposed despite these restrictions, so don't post anything that you wouldn't want the public to see. Sites may change their options periodically, so review your security and privacy settings regularly to ensure your choices are still appropriate.
    4. Use strong and unique passwords – Protect your account with passwords that cannot easily be guessed. If your password is compromised, someone else may be able to access your account and pretend to be you. Never use the same password on social media as you do for work or banking.
    5. Beware of third-party applications – Third-party applications may provide entertainment or functionality, but use caution when deciding which applications to enable. Avoid applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.
    6. Be wary of strangers – The internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who can contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
    7. Be skeptical – Do not believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.
    8. Check privacy policies – Some sites may share information, such as email addresses or user preferences, with other companies. This may lead to you receiving more spam in your email. Additionally, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
    9. Keep software and browsers up to date – Install official software updates so attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
    10. Use and maintain antivirus software – Antivirus software helps protect your computer against known viruses, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your antivirus definitions up to date.

    While this list of tips is not exhaustive, it provides a guide to a more secure social media experience. By following these guidelines, you can get all the enjoyment meant to come from social media, while keeping your personal information private and your computer safe.

    Children are especially susceptible to the threats that social networking sites present. Although many social media sites have age restrictions, children may misrepresent their ages so they can join. By teaching children about internet safety, being aware of their online habits, and guiding them to appropriate websites, parents can ensure that their children become safe and responsible users.

  • Celebrate Cyber Security Awareness Month by learning more about phishing and cyberattacks

    Along with Breast Cancer Awareness Month, did you know that October is also Cyber Security Awareness Month

    As we work hard to raise funds and awareness with Making Strides Against Breast Cancer events and other mission partnerships in October, Information Technology wants to help us grow our online awareness – by featuring a few informative articles throughout the month. 

    Let's jump right in: This first article examines the importance of critical thinking in avoiding cyberattacks. When we hear about phishing, IT asks that we use our critical thinking skills. But what exactly does that mean? 

    Critical thinking is the process of actively analyzing and evaluating information gathered by observation, experience, or reasoning to inform action. These skills are particularly important when working in your inbox because email is the easiest way to access any company. Below are some facts to keep in mind:

    • Most email is spam – up to 97 percent of global email is not legitimate!
    • An event that starts with only one person (clicking a bad link or opening a malicious attachment) can quickly multiply.
    • Scammers usually like to incite emotions and urgency to deliberately derail your critical thinking skills.
    • Most phishing emails will send you to a malicious site that has been created for this attack. 

    Using the following questions can help us approach our email – both at work and home – with critical thinking and the right response:

    • Where did the email arrive, your inbox or a junk/spam folder? Unless you are positive that the email is legitimate, leave it in the Junk folder. Your email provider is probably right – this is an email you don't want or need.
    • Do you know the sender? Any email from a stranger should be viewed with suspicion.
    • Was the email sent only to you? Spam and malware are usually sent in volume. Scammers make their money by finding one or two unsuspecting or careless people for every thousand emails sent. If someone other than you appears in the "To" field, that might be a red flag.
    • Were you expecting this email? Successful phishing attacks often exploit a compromised user's address book to send the malicious software to their contacts and friends. If you see a puzzling email from someone you know, email them back and ask whether they meant to send that email. Chances are you'll be doing them a favor by alerting them that they have been hacked.
    • Does the message make sense? Read suspicious messages carefully for clues that the real sender is someone other than who they claim to be – broken English, vague messages, and language that doesn't sound like a typical message from your sender.
    • Are there logos or identifying marks in the signature? Compare the signature block and the "From:" address; is it a reasonable comparison? If this email is representing a large company, it should come from the corporate email address, not a free email account.
    • Are there attachments? Generally, only open attachments from your most trusted senders and only if nothing else about the email is suspicious.
    • Do the links take you to where they say? Always hover before you click; you don't have to click a link to know its destination. If you do not recognize the address or it looks strange in any way, don't click!

    If you get suspected phishing emails in your inbox, move to your Junk folder. Do not respond to the email; doing so would just verify that your email address is active, and you will get more phishing emails. Lastly, do not forward the email. You are just helping the phisher create more copies of the email, which could lead to more issues.

    If your email address is compromised, make sure you change your password right away. Consider applying a multi-factor authentication – a security measure that requires more than one method of authentication from different types of credentials to verify your identity for a login – to your home email accounts. For example, if you log in from a new computer, multi-factor may require you to know your email password, as well as have your mobile phone nearby to receive a special code to verify it is you before you can log in. This will make it harder for a criminal to access your account, and all the larger free email accounts provide this protection.

    Another way scammers can try to worm their way in is through internet pop-ups or phone calls. Use your critical thinking skills there, too: 

    • Remember that Microsoft, the IRS, and many other entities will not call you on the phone and ask for sensitive information.
    • If something sounds too good to be true, it is.

    Continuing throughout October, look for additional IT security articles on My Society Source with good information you can use to keep yourself and your family safe.

    So, as you fire up your pink for breast cancer awareness, let's all make the commitment to learn more and stay safe as we use the latest and greatest technology in our roles. 

  • Please think before you click that link!

    Just a reminder to all volunteer -- take a few seconds and think before clicking links in emails, especially the ones that seem a little odd. Trust your gut; if it raises suspicion, it's probably a phishing attempt.

    Never share your login credentials (user name and password), especially via email or on a website. 

    One goal of these phishing campaigns is to capture user credentials – which is a form of identity theft. Once gained, the phisher/attacker will then use the credentials to log onto any system available to the attacker, posing as the person whose credentials were compromised.

    Tips for dealing with phishing attempts

    1. Critical thinking is crucial. Stop and think before you click that link!
    2. Ask yourself: Even if you know the sender, is it a legitimate email? Is what they are asking for, and how they are asking for it, typical?
    3. Hover over links in emails and other documents. Where will the link take you?

    Education is protection!

    One of our best defenses against phishing is an educated and aware volunteers. The better everyone understands phishing and ransomware attacks, the better we can protect our systems. To learn more, visit the National Cyber Security Alliance website on staying safe online, and read this article on the top five things staff can do to avoid phishing attacks.

  • The top five things you should know to protect the Society from phishing attacks

    Please take the time to review and use this quick list of the top four things you can do to protect the Society from phishing attacks:

    1.     Know: What is phishing, and why do the bad guys use it?

    Phishing uses fake emails, which often look official, to trick users into giving up information like usernames and passwords or to load malicious software (malware) on your computer. Phishing scams are designed to induce panic in the reader to provoke an immediate response by claiming they will lose something, such as email or bank account access.

    Phishing attacks are increasingly common to all kinds of organizations – for profit, not-for-profit, government, and charitable. Because the emails trick users into taking an action, user education is our best protection.

    2.     Stop and think.

    Critical thinking is the best way to stop phishing attacks. No technology can prevent all phishing attempts from getting through. Stop and think with every email you receive. Does it pass the smell test? 

    3.     Hover over links before you click (as pictured in the smaller photo).

    Never click a link in email or your browser search without hovering over it first to see where it leads. The way browsers work, clicking on a website can load code or run scripts on your computer, so sometimes just clicking can be all the bad guys need.

    4.     What can happen with phishing?

    Generally, phishers are looking for private or sensitive information they can use for fraud– credit card numbers, usernames, passwords, social security numbers, etc. Clicking on a phishing link or attachment can also introduce malware onto your computer or network. These programs can record your keystrokes, turn on your webcam, open a back door to the internet for remote control, or download more bad software. Of particular note is "ransomware," which will encrypt your documents for a bitcoin ransom.

    For more information on recognizing spam and phishing emails:

    While the technology protecting our systems is one part, everyone plays a crucial role in internet safety. 

  • Tips from IT on the Equifax breach

    You may have heard that the consumer credit reporting firm Equifax recently announced they were breached by one or more attackers, who stole personal information for more than 143 million people – including about 44 percent of the total U.S. population. 

    With nearly one out of every two adults impacted by this breach, the chances that you are a victim is good. If you are not, then find the nearest person, and statistically, they will be. This is a big deal.

    The information that was disclosed includes details that can be used to open lines of credit, apply for bank loans, buy a car, get a driver's license, get a passport, or anything that involves the use of a Social Security number, date of birth, and other personally identifiable information (PII). 

    What can I do?

    Experts contend that the hackers will buy, sell, and trade the information stolen in this breach for years to come, which means that, if you are impacted by this breach, you should be diligent not only for the next few weeks and months, but for years to come. Equifax has created a website where people can learn more about the incident, with two things of note:

    • Under the menu item at the top of the website, a link called "Enroll" will take you to a page where you can determine whether your data were impacted by this breach. You will be asked to provide your last name and the last six digits of your Social Security number, and based on that information you will receive a message indicating whether your personal information may have been impacted by this incident.
    • Whether your data were impacted or not, Equifax is giving everyone the opportunity to enroll in what is called "TrustedID Premier," which is a credit monitoring service. Note that this is not a credit "freeze," but only a monitoring service, and it is only good for a month. Because Equifax is constantly being pressured by the public and our government, this offering may get better with greater coverage.

    Beyond what Equifax is offering for free, there are additional steps which would be prudent to take:

    • Purchase a security freeze for your information. This is the action that does the most to protect you. Unfortunately, few people know about it. What a security freeze does is lock your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you must manually set up a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then must manually unlock your credit service. 

    Here are each of the credit bureaus and links to their respective pages on how to set up a freeze:

    1. Equifax
    2. Experian
    3. Innovis
    4. Trans Union
    • Beware of social engineering attacks. Over the next days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Be aware this will likely occur.

    What happens if my information is fraudulently used?

    If someone does steal your identity as a result of this or any other breach, the Federal Trade Commission has created a site to help you recover. The interactive site will walk you through steps like the ones pictured above.

    Ultimately, the responsibility is yours to recover from identity theft. Fortunately, there are a few things you can do to lower the chance that your identity will be used after it is stolen, like initiating a credit freeze. If you are the unlucky half of the population who was impacted by this breach, you should act now.

back to top