​E-Mail Safety Tips

The Information Security Office takes e-mail safety very seriously, and for good reason.


Did you know?

  • E-mail is our number one attack vector. "Phishing" is when an attacker sends an e-mail that appears legitimate at first glance. The idea is to trick someone into opening the e-mail and clicking on a link, exposing them to the attacker and allowing them an opportunity to get into our environment. UWSP receives thousands of phishing attempts every single day.  Most are blocked by our security systems, but some slip through. Attackers send out so many phishing e-mails at once because it only takes one to succeed in their attack. That's the hardest part of security - we have to successfully protect ourselves every time. The attackers only need to succeed once. 

  • E-mail is also a repository of sensitve data. Think about it: Every e-mail you have gotten over the course of your career matters. What you know is valuable to an attacker. E-mail provides a running history of information pertaining to you. More than that, it's possible your e-mail contains sensitive data protected by federal regulations, like FERPA. At the very least, it's likely to contain what is known as PII (Personally Identifiable Information.) Your e-mail might contain this data and you don't even know it.

Because of this, the Information Security Office would like to inform you of the following:

  • The use of "personal" e-mail addresses, like those available through Gmail, Yahoo, Hotmail, etc. for university business is strictly forbidden by UW System administrative policy and by our institution. All university business should be conducted through official issued e-mail addresses provided, supported, and protected by UWSP Information Technology.

  • You should clear out your e-mail periodically.  Cleaning out your e-maill periodically makes it far less likely that it contains long-forgotten sensitive data and makes it far less damaging in the event your account is compromised. 

  • Take steps to protect yourself the moment you believe your account might be compromised. If you are not sure what to do, contact the IT Service Desk or Information Security Office immediately for advice. It's always a pain to have to change your password, but it is much less painful than having to explain how sensitive data was leaked because you were too embarassed or too busy to change your password when you fell for a phish. It also goes a long way to protectng the integrity of our institution. A stitch in time saves nine. There is a reason phishing is the most common attack type - it works. Do not feel embarassed, everyone falls for a phish sooner or later. Do not feel bad about bothering us, that is literally our job. 

  • If you are frequently being targeted by e-mail scams, notify the IT Service Desk or Information Security Office. Phishing is a broad attack. The attacker will send out hundreds or thousands of e-mails at once hoping to get a "bite." Spear Phishing takes this one step farther. Instead of sending mass e-mail messages, the attacker will select only a few people and using publicly available information, will tailor a message specifically to you. They may impersonate your supervisor, a colleague, or a contractor with whom we frequently do business. The idea is the same - to get you to compromise your account. However, that fact that the number of messages is low and the e-mail is tailored to appear as legitmate as possible, they can be very difficult to detect unless you tell us that you are being targeted by these attackers.

After hearing this, most people have questions. Here are some of the most common questions we get. If you have a question that does not appear here, or if you have any other comments, questions or concerns, please contact the Information Security Office. We are always happy to speak with the constituency of UWSP's Information Technology department, and will always hear you out whenever you feel a policy is an impediment to your productivity or research.

FAQ:

  • If I can't use my personal e-mail address for business purposes, can I use my university address for personal purposes?

    • You could, but you probably shouldn't. It's always the best idea to keep university work and personal lives separate. That way if one account is breeched, the other stays safe. Let's say you use your UWSP e-mail address for everything. One day you fall for a phish. Hey, it happens to the best of us. The problem is now the attacker has access to your research, your e-mails, student data, and your personal finances, your Netflix account, your PayPal, etc. This is a security principle known as compartmentalization. There's nothing wrong with sharing your personal life with your co-workers (Just don't overshare. I'm looking at you, Rita,) but keep a firewall between those aspects of your lives when it comes to how you communicate.