Cathy Hubbs warns bad actors lurk everywhere in the digital world.  

Hubbs, AU’s chief information security officer, leads the effort to prevent these scams from entering our corner of cyberspace.  

“They're out there, using psychological manipulation to try to trick you,” Hubbs said. “And people are falling for it.” 

Cyber thieves use impersonation combined with an urgent message to fool you into providing personal or financial information. They often disguise themselves as people you know, using fraudulent domain names and email addresses that appear as names with whom you are familiar, Hubbs said. If you look closely, you can often spot the deception. 

In honor of October’s National Cybersecurity Awareness Month, Hubbs named email impersonation and multifactor authentication fatigue as cyber threats to remain wary of and shared precautions AU community members should take. 

Watch Out for Anyone Asking for You to Purchase Gift Cards  

A current scam includes emails or text messages from what appear to be friendly people—supervisors, coworker, professors—asking for a favor or similar that includes a request to purchase gift cards then reply to the message with pictures of the code on the back of the gift card. The criminal cashes in the gift card. The criminals are difficult to track down. Critically look at the email address associated with the sender’s name, Hubbs said, and you will see if the email address is suspicious. The address can be a Gmail address with a name that looks like the person you may know or a variation of our domain, for example hubbs@american.com instead of @american.edu. Same with text messages – use a phone number you know is associated with the person contacting you to call and confirm the request is legitimate. 

Use the Report Phishing Option in Outlook 

Unfortunately, address impersonation is common, Hubbs said, and she encourages everyone to use the Report Phishing option in Outlook if in doubt about an email message. The Report Phishing button is available for your mobile devices too. The Report Phishing button pulls the machine details needed by OIT to investigate and take appropriate actions.  

Be Aware of Bad Actors Using Repeated Multifactor Authentication Notifications  

Hubbs said bad actors are constantly looking for a way into AU's systems. A new method is to send multiple notifications via the Duo MFA app or send a series of text messages asking for an access code. Fatigue from receiving multiple successive notifications is by design, Hubbs said, to get you to accept and allow access to our network resources with your account. The solution is to only accept a Duo MFA notification after you personally have initiated it by logging into an AU resource. Never give your access code to someone requesting it via text message.