Many college students assume being on a college campus and using their devices with solid passwords offers plenty of cybersecurity. Although colleges work hard to protect their students and data, no organization is perfect. Just as the tech world continues to develop, so do the strategies of cyberattacks. In 2023, the research group Comparitech identified educational institutions in the United States had experienced 3,713 data breaches, impacting over 37.6 million records since 2005.
This Cybersecurity Awareness Month, take a moment to reflect on your digital habits. Are there any myths you believe about cybersecurity? As you use more technology during your college career, are you prepared to protect your identity and accounts? Daniel Boyd, an IT specialist and digital security expert at Berry College, is here to debunk the biggest cybersecurity myths affecting students in higher education and share best practices for studying on a college campus.
Myth #1: I won’t be a target.
Some college students are surprised to hear they are targets for hackers. A person does not have to have a million dollars in the bank for someone to want to scam them. In fact, many people with less to lose take fewer security measures. Remember: those designing phishing emails and attacks have a myriad of goals in their pursuit. Sometimes, their motive is to get a bunch of throw-away email accounts to anonymously attack others.
But ultimately, you are a great target. A recent article from the Federal Trade Commission, a U.S. government agency responsible for protecting consumers, revealed younger adults were 34% more likely than older adults to report losing money to fraud. Young adults experienced significant fraud in online shopping, but also online investment scams like fake cryptocurrency opportunities. Younger adults were also five times more likely to lose money to job scams.
Still, email is not the only space hackers target young adults. Streaming services, especially illegal ones, have become an attack channel for cybercriminals. Recent data from the Pew Research Center states that six in 10 18- to 29-year-olds stream television online. In particular, illegal streaming sites are full of malware or adware disguised as free files.
Malware and adware are dangerous types of software used to infect other devices connected to a network. They can give hackers access to private files on a device, make a device slow down, appear non-responsive or take you to sites you don’t want to visit.
Myth #2: My passwords are strong enough. I don’t need two-factor authentication (2FA) or multi-factor authentication (MFA).
Best practices start with passwords. Have you stopped to count how many accounts you have? Take a minute to do that now. Once you have that number, ask yourself how many different passwords you use. The number of accounts you have should be the same as the number of passwords you have. Each password should be long and complex. Password managers are a great tool for generating complex and unique passwords as well as for keeping up with different passwords. If you said yes, you have the same number of passwords and accounts, and each password is complex, you’re off to a good start. However, you’re not secure yet.
Even perfect passwords won’t provide you with the level of protection needed in our connected, digital world. You need 2FA or MFA. Will this slow down your login time? Maybe. But ask yourself what it would feel like to have money or your identity stolen and reconsider those two extra seconds.
If any password, whether it’s 20 characters or not, is accidentally or intentionally leaked on the internet, your account is in danger without the protection of 2FA or MFA. Especially now that many colleges use single-sign-on (SSO) capability for most of the web-based applications used by colleges, a hacker has access to everything if your password is leaked. With 2FA or MFA authentication, you must know the correct password and provide additional information via an app or a physical USB port key.
For example, imagine you use the same password for your Instagram account that you do for your SSO college accounts. If your Instagram password is leaked, a hacker may try the same or similar passwords for your college accounts. If the attacker gets in because you haven't enabled MFA, all your personal information is compromised.
Myth #3: Hackers can’t get to me on campus Wi-Fi.
While campuses work hard to protect their students, criminals are creative. When you log on to campus Wi-Fi, there is often a choice, a guest Wi-Fi and the main college Wi-Fi that requires a sign-on. Always choose sign-on required Wi-Fi. Guest Wi-Fi is essentially a public Wi-Fi network. Built for convenience, it allows anyone in the vicinity to connect and is less secure. For example, if a device infected with malware connects to the guest Wi-Fi, it can more easily infect other devices.
Once you leave campus, whether you live in a big city or a small one, be careful when, where and how you log into your accounts. It’s common to use publicly available Wi-Fi at coffee shops, stores and other places. But public Wi-Fi access is different from using your phone’s cellular data to log into your accounts. It is much less safe because you don’t know if the Wi-Fi network was properly configured and secured, or if a cyber attacker has compromised it. Think about it, wouldn’t a homey, safe-feeling coffee shop be a place to steal information? If you do connect to a public Wi-Fi, use a Virtual Private Network (VPN). VPNs encrypt data and mask IP addresses to protect users' privacy and security online.
Keep in mind that any malware installed on your computer on a guest or public Wi-Fi network will then infect other computers when you sign back onto the secure network. Protecting yourself is protecting the entire college network and building cyber resilience across campus.
Double your hesitancy when using publicly available devices. You know nothing about these machines or their security. Be very hesitant to log into accounts, particularly sensitive or financial accounts, on any publicly accessible devices.
Maybe you don’t use the public library much but consider this Spring Break example. You rent a fun Airbnb with friends. Using the available smart tv, you sign in to all your favorite streaming services. The following week, you log in to watch a favorite show, and someone has added a user profile to your account. To your horror, you realize you never signed out of the smart tv in the Airbnb. It’s time to change your passwords, and make sure you have 2FA or MFA set up on your accounts.
Myth #4: Phishing emails are easy to spot.
It starts with an email in your already overloaded inbox. The message declares your account is expiring and needs you to click the link provided to access your account. After dutifully clicking the link, you confirm your account by entering your username and password on the page provided. Congratulations! You just got phished. Your account no longer belongs to you. Someone else now has your username and password because you gave them that information.
Phishing emails are still one of the top tools of hackers and have become much more difficult to spot. For example, some hackers go as far as to use the real names of professors or college staff to sign emails. With lists of employees publicly available, it is easy for hackers to impersonate college employees.
Many scams or attacks geared toward younger adults do come via social media, but the primary avenue is still email. Now with easily accessible generative artificial intelligence (AI), gone are the days of poor grammar and misspelled words. However, the primary key to spotting phishing emails remains the same – urgency. Phishing emails generate a sense of panic, attempting to knock you off balance mentally, causing you to make a poor decision.
Here is a list of common phrases or themes to look for in phishing emails:
- Your password or account is expiring today!
- You must pay a fee, or your account will be closed today!
- You will lose access to something important if you don’t do as the email instructs IMMEDIATELY!
What to do when you receive these emails:
- Whenever an email causes you panic or prompts you to act fast, immediately stop and take a breath to help you think clearly.
- Log in to your account NOT from the link in the email, but instead, via the way you typically log in.
- Is this offer you received too good to be true? Is that sale real? Can you google the sale and find it listed in other places as a scam?
- When possible, check claims using an alternative method from clicking on a link in an email. Be suspicious, always!
Want more examples of real phishing emails hitting college student inboxes today? Check out Berry’s phishbowl website and decide whether you would have been tricked!
Keep Learning
If you are nervous about your cybersecurity awareness, take action. Today, many colleges require cybersecurity training. Take it seriously. If you want to learn more, seek reputable information like precautions on the National Cybersecurity Alliance’s Stay Safe Online website.
The IT Office at Berry College also has a cybersecurity alert and news system for students. If you are a college student, search your college website for more available internal resources and tips specific to the technology used on your campus. No matter who you are or where you are, educate yourself on cybersecurity and confidently engage in our connected, digital world.
