UVM's Information Security Operations Team answers "Why?" Why?security


BOLO: COVID-themed Attacks

As COVID-19 continues to dominate the news cycle and daily life, the UVM Information Security Office would like the community to Be On the Look-Out (BOLO) for cyber criminals using COVID-19 as a theme for phishing emails, scams, and other attacks on the security of your information and that of the University.

These attacks could take the form of:

  • phishing emails regarding online learning or telecommuting, potentially providing a link to log in to an “online learning portal”;
  • fraudulent donation sites;
  • news hoaxes;
  • messages that look like they come from officials (such as WHO representatives or Red Cross workers) and ask for personal information or donations.

Remember: Be wary of any email or message that urges you to take swift action, plays on your fears, or involves money. Be skeptical of “UVM” communications coming from outside of the UVM community and remember not to enter your NetID credentials on non-UVM websites.

More information on these types of phishing attacks can be found at https://www.helpnetsecurity.com/2020/03/09/coronavirus-scams/ and more information on UVM’s response to COVID-19 can be found at https://go.uvm.edu/covid19.

Windows 7 Advisory

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

On January 14th, 2020, Microsoft support for Windows 7 will end, which means that version of Windows will no longer receive patches to fix bugs or security flaws.

Why is this happening?

End of life is the term used by Microsoft when they no longer support a system or service, often because it has become outdated. With the arrival of Windows 10, Microsoft began phasing out mainstream support for Windows 7 in January of 2015.

How does this affect me?

Failing to update to Windows 10 and continuing to run Windows 7 can leave users vulnerable to cyberthreats. With no more patches or updates to fix bugs and vulnerabilities, hackers can exploit these security flaws. Even if Microsoft or its users discover additional security flaws in Windows 7 after January 14th, it is likely that they will not be patched. Some attackers even be sitting on zero-days, a security flaw that is known with no patch, and waiting for the system end-of-life to exploit this vulnerability.

Updating your machines to Windows 10 will mitigate this risk.

How do I know which version of Windows I’m running?

By searching for “system information” in your start menu, you will be directed to a window with information on your system, including what version of Windows you’re running under “OS Name.”

What should I do now?

If you haven’t yet updated to Windows 10, it is important to do that in the coming weeks before the Windows 7 end of life. Encourage your friends, classmates, and your co-workers to do the same. If you are unable to upgrade, keep a close eye on your machine for unusual behavior in the weeks following the Windows 7 end-of-life and keep your anti-virus and security software up to date.


For more information or help upgrading to Windows 10, please visit or contact UVM’s Tech Team at tech.team@uvm.edu or www.uvm.edu/it/help.

“DUO” the Necessary Steps to Protect Yourself!

Enabling Multifactor Authentication

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

What is multifactor authentication? How do I use the DUO app? How do I lock down my passwords? If these questions keep you up at night, read on. If not, read on anyway; it’s important knowledge to have.

Multifactor authentication (MFA) is the practice of having two or more methods of verifying your identity when logging into an account. Entering your password is one method of verification, and others may include a text sent to your phone with a code, a security question, or even biometrics, like your fingerprint.

MFA types fall into three major categories: something you know, something you have, something you are.

A password or a security question is something you know. It doesn’t change often and is a piece of information that can be leaked or stolen. However, the second piece of authentication requires something you have (a one-time code) or something you are (fingerprint) to proceed. These are harder to get false access to without physically stealing your phone or stealing one of your fingers (in which case you’d have much bigger problems).

You’ve probably used multifactor authentication before—Google accounts often enforce it when you’re logging in on a new device.

Multifactor authentication helps protect your account by setting up several ways to verify that it’s really you logging into your account. That way, even if someone cracks your password, there is another, tougher layer of security for them to get through.

Multifactor Authentication at UVM

Here at UVM, some resources are protected by DUO Multifactor Authentication. With this tool and the free smartphone app, users are sent a one-time verification method to use alongside their login credentials. This verification can be sent as a push notification from the app (easiest method), or as the six-digit code provided in the app. This code can also be sent as a text message, through a landline phone, or even as a generated list of codes users can use when offline as well.

This method adds a second step to the login process and thwarts would-be attackers who may have your password, but do not have access to your phone. Multifactor authentication protects you, your information, and the University’s information.

However, beware if you receive a request in your DUO app that was not sent by you.  Sometimes, users can get a request and know they did not send a push notification to their mobile device (tablet or mobile phone). Denying the request is your best option; it could be someone else attempting to gain access to your account.

More information

To learn more about multifactor authentication here at UVM you can visit https://www.uvm.edu/it/kb/article/duo-multi-factor-authentication or read the Duo FAQ at https://www.uvm.edu/it/kb/article/duo-faq. We also made another blog post back in 2016 on the matter, which you can read here.

Go Phish!

Defeating phishing emails and securing your inbox

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

It’s 8am on a Monday morning. You pour yourself a cup of coffee and open your laptop to read all the emails you’ve been putting off since Friday afternoon.

This is you.

When you open your mail inbox, this message is waiting:

“Oh no!” you think. “Have I not been getting my emails? What does this mean?”

Hmm. Now this is interesting.

Before doing anything, however, it’s important to consider the threat of a phishing scam— an attempt to steal your UVM credentials (your NetID and password). A phishing scam often comes in the form of an email, perhaps one asking for you to enter your UVM credentials or offering a well-paying part-time job from a professor working overseas.

Often times, phishing scams will try to play off your emotions—such as a mail message threatening to delete your account, the idea of an easy side job, or a compromised UVM NetID. The goal is to get you to act fast, getting you to enter in your UVM credentials to solve the problem quickly without noticing the signs that the email you received isn’t actually legitimate.

It’s time to be a detective!

Here are some things to look for when you see a suspicious message:

  1. Check the email subject. Has it been left blank? Is it vague? Does it use a “scare-tactic” to get you to act fast? Do you feel pressured?
  2. Who is it being sent by? Is it not a UVM email? Is it someone you don’t know? If it is someone you know, is it a strange request for them to have?
  3. Where are the links going to? Any email that asks you to enter your UVM password on a non-UVM web site is a phishing scam. UVM will never ask you to enter your UVM NetID and password on a non-UVM web page—even if it looks like a UVM page, and even if it’s on a reputable site, such as Google Docs, or if it contains UVM graphics and you’ve been directed there by an email that appears to come from a UVM email address. Remember: The UVM Tower logo or any related graphic is not a guarantor of legitimacy.

For example, this email here is directing users to a Weebly site, and by mousing over the link, you can see where the link will take you without clicking.

  1. Does the email have strange capitalizations or odd grammar and spelling? Is there no greeting or sign off? Does the signature not match the email sender?
  2. Is money involved? Do they want me to help them pass checks or move money with the promise of payment afterward?
This email here contains the strange formatting and the promise of money. It’s a scam!
  1. Ask your friends. Does the email seem like a scam to them? Sometimes, taking a step back from the situation can help you think more clearly.
“Harold, that’s not from UVM! They’ll never ask for you to enter your credentials on a non-UVM page!”

If you’re even unsure about the legitimacy of a message, you can contact the Computing Help Line at 656-2604, or submit a help request online. You can also directly contact the party involved by directly mailing the organization or office the email is purporting to be from, but not by replying to the suspicious email. Instead, use the email you have on file for the organization or the one they display publicly on their website.

You can also report phishing emails by forwarding the phishing email with full headers to abuse@uvm.edu. (To forward a message with headers, please see https://www.uvm.edu/it/kb/article/forwarding-full-mail-headers)

What to do if you’ve fallen for a phishing scam

Time to call the UVM Computing Helpline!

If you’ve followed the link in the message, or replied to this email or one like it, you should change your password immediately at www.uvm.edu/account. Contact the UVM Computing Helpline if you need assistance changing your password. You should also change any similar passwords to your UVM password.

More info

For more information about phishing scams, view our Web page on protecting your NetID and password

Yahoo! You’re now ready to conquer the inbox!

Protecting Your NetID Password

You’ve probably heard by now that UVM has been subject to a computer system intrusion that has the potential to result in the malicious use of UVM NetIDs and passwords. Here’s the crux of the announcement:

The University has no indication that personally identifiable information has been accessed or compromised. Nonetheless, the University is taking the proactive step of requiring that ALL passwords be changed immediately and no later than 4:30 PM on Thursday, May 24.  Accounts with passwords that have not been changed by this time will receive an additional notification, will have their passwords expired, and a change will be required before the account can be used again.

Ongoing monitoring of the University’s computer systems resulted in early detection of this system intrusion, which improved our ability to implement protection and mitigation strategies. The University continues to work with law enforcement and information security experts to investigate and address the intrusion.  Users are asked to be extra vigilant with their computer use and report any suspicious activity to abuse@uvm.edu.

For more information you can read the full announcement and an up-to-date FAQ.

While no one likes maintaining passwords, they remain an important part of the security infrastructure at UVM and our peer institutions. We’ve recently implemented Multifactor Authentication for access to our most sensitive services, such as PeopleSoft, VPN (Virtual Private Network), and Virtual Desktop Infrastructure, and we may protect more systems with MFA in the future. Even with MFA in place and our strong password standards, you can help protect yourself and the University by following these guidelines:

  1. The longer the password, the more difficult it will be to crack. UVM NetID passwords are required to be at least 12 characters long, but longer is better. You can use even use a phrase, or a string of random words, e.g. ‘owls are my favorite flying Things.’, or ‘house caterpillar verify peanut’.
  2. The more character sets used, the more secure the password. Different character sets include:
    • upper case letters (A B C D)
    • lower case letters (a b c d)
    • numbers (1 2 3 4)
    • punctuation or other symbols (! @ # $)

    UVM NetID passwords require at least two different character sets, but more is better.

  3. The more complex a password is, the more difficult to guess. Complex passwords are:
    • not based on single words found in the dictionary, in any language
    • not words spelled backwards, common misspellings or abbreviations
    • not sequences (12345678) or repeated characters (22222222)
    • not common mathematic sequences and series like Fibonacci numbers, Pi, or prime numbers
    • not keyboard layout sequences (QWERTYPOIU, qazwsxedc or similar)
    • not dates like birthdays or anniversaries
    • not personal information like names of friends, relatives, pets or children
    • not another unique identifier like your Social Security Number, student ID number, bank PIN, driver’s license number or passport number

An ideal password is one that is easy for you to remember, impossible for a human to guess, and more difficult for a computer to crack. While UVM stores passwords in a strongly encrypted form, attackers could potentially leverage the computational power of botnets and modern supercomputers to crack weaker passwords with relative ease.

Using a string of random words is a great alternative to remembering a string of gibberish (or choosing a weak password):

Image: xkcd—a webcomic of romance, sarcasm, math, and language (Creative Commons BY-NC 2.5)

A few other tips:

  1. Use a password keeper. You’ll only need to remember your master password, and most password keepers can generate strong passwords for you that you won’t need to remember. Many password keepers integrate with your web browser so you don’t even need to type the passwords to use them. Among the password keepers used by IT staff at UVM are LastPass, Dashlane, KeePass, and 1Password. While we don’t support or endorse a specific password keeper at this point, they represent a mature technology that is reliable, secure, and convenient.
  2. Don’t use your UVM password anywhere else. This is the main reason we require annual password changes- if another password database has been breached (such as those at Yahoo!, eBay, and Adobe) and users have used the same password there that they do at UVM, eventually the attackers will discover that they have working UVM credentials.
  3.  No passwords on sticky notes! (No, really. It’s 2018.)
  4. Take steps to protect yourself from malware and phishing scams. Keylogger malware, which captures your keystrokes and passes them along to malicious actors, is a common source of compromised credentials. Keep your antivirus software up to date and don’t visit any dubious websites. Be sure to check the URL bar of your browser any time you’re entering your UVM credentials into a website (even if it looks familiar); make sure you’re always at uvm.edu/.



Being “Smart” With Your Smartphone

Last month was National Cyber Security Awareness Month.  To keep you thinking about security, this is the third of four tips based on current hot topics at the university.

Being “Smart” With Your Smartphone

Chances are if you have a smartphone you know what a useful tool it can be and chances are even greater using it as a “phone” constitutes a small percentage.  With that in mind, we offer some tips to help you stay secure:

  • Stay up-to-date with software updates.  We know that change is hard and often not welcome, but updates usually include important security fixes that ensure the information you enter, access, and store in your smartphone stays secure.
  • Set a passcode.  It doesn’t have to be a combination of 23 letters, numbers, and special characters.  Even just enabling the passcode enables important security features, such as encrypting the data on the phone so that only someone with the correct passcode can decrypt it.  A four-digit passcode is a start, but even better is something simple that adds a bit of complexity yet is easy to type on a tiny virtual keyboard.  Examples: 37Snowflake or Freefall28
  • App Stores.  Sticking with the native app stores, such as the Apple App Store or Google Play Store, will help to ensure that the apps you install don’t contain any password-stealing malware.  There are examples of simple game apps stealing information from your phone and sending it off to the Internet while you’re playing the game.
  • Loss/Theft: Subscribe to the “find my device” service for your particular phone.  By doing this, if you do lose your phone, you’ll have multiple options for locating the device, sending a message to it, or even erasing it remotely.


The Password Is Dead: Long Live…Anything Else!

Executive Summary

[read time: approx 1.5 min.]

Passwords by themselves are no longer sufficient for protecting your information and UVM’s information from everyday attacks. UVM is moving to require multi-factor authentication (MFA) to protect the most critical information at first, and all of the university’s online assets in the long run.

This means that logging into certain online services provided by UVM’s Enterprise Technology Services (ETS) will require something in addition to your password, similar to many online banking applications. ETS is starting this process with PeopleSoft in October and November of 2016. A very simple, free smartphone app called Duo Mobile is the recommended method (really, the only one which will scale to the size of UVM’s entire population) and is anticipated to satisfy the needs of the vast majority of UVM users. There are other options; they’re reserved for cases where use of the Duo Mobile app is impossible or its use otherwise presents extreme hardship.

The Details

[read time: approx. 8 min.]

For a long time and for a lot of people, “information security” has meant of a stream of Don’ts* and basically only one Do: Create a “strong” password and keep it secret. This approach meant that we IT professionals had to repeatedly connect with our public (something we know you love) as the threats evolved and the definition of “strong” evolved with them. Until now, this translated into ever-more-complicated requirements resulting in a completely unmanageable stable of passwords for accessing your digital life. And maybe “stable” is the wrong word, since one of those requirements is that you change most of your passwords at varying intervals. It drives you crazy, it drives us crazy, and in the modern era the password doesn’t even do what it’s supposed to any more.

* Don’t open that email. Don’t click on that link. Don’t visit that website. Don’t …, don’t …, etc.

What is a password supposed to do, anyway?

My password is a little secret, shared only between me and some computer service, which is supposed to prove that I am who I claim to be.

That’s it.

I show up at some speakeasy on the internet and knock on the heavy steel door. The bouncer inside slides that little metal peep cover aside and says (in a 1920s Bronx accent), “Who’s dere?” “sthooker,” I say. “What’s the passwoid?” she asks. “******************,” I respond. (Clever, right?) And if that is in fact sthooker’s password, I’m in. And everybody inside thinks I’m sthooker. What could possibly go wrong?

Aye, there’s the rub.

Our little speakeasy analogy is slightly flawed: First, there’s no intelligent human bouncer who could recognize my appearance through that peephole or recognize my voice through the door. It’s more like I slip a punch card under the door containing “sthooker” and “******************” and a computer rather undramatically either opens the door or doesn’t. Also, the establishment is no longer a speakeasy; now it’s a Special Library containing every piece of information — academic, financial, personal, and health-related information pertaining to myself and anyone else — that I handle in my role at UVM.

And now we come to the problem with passwords: Anybody else with the same punch card can show up and enter the Special Library claiming to be me. And our bouncer can’t tell the difference.

Put another way: My password is reusable. This means that if someone captures my password — whether by infecting a device of mine with keystroke-logging malware or by tricking me into revealing it to them — they can use it over and over again, just like I can. That’s right: It doesn’t change often enough. (I know — we make you change your password once per year, and that’s too often.) But in order to effectively counter current threats, the password would need to change every time I used it.

That sounds like a lot of work. Besides: Who would pretend to be me?

Perhaps disappointingly, it’s probably not about you or me, per se. Our UVM NetIDs give us access to a number of Hot Commodities. Commodities like…

  • …private information about us, some of which could be used to fraudulently open financial accounts in our names (remember the Special Library?);
  • …the ability to see and change where our paychecks are deposited (if you work here; this includes student employees);
  • …some or all of our academic and research data;
  • …private information about other people (students under our tutelage, employees in our charge);
  • …a reputable spot on the US internet, which is useful if you’re a criminal operator attacking American networks or American businesspeople. (Yes, the Bad Guys frequently hijack UVM accounts just so they can turn around and victimize someone else, somewhere else.)

This is quite a potential trove, considering the relative ease of acquiring someone’s password.

So this is serious. How do we fix it?

Easy: We tell our bouncer to demand something else in addition to a password before she believes anything the person knocking on the door says.

Oh! Like “Security Questions”?

Not exactly. Security questions suffer the same weakness as passwords: They’re both something I know which does not change (often enough). What we really want is for our additional element of proof (called an authentication factor) to be something I have, or even something I am so that even if someone captures that Something I Know (the password), they can’t get in without having the Something I Have or being the Something I…well, me.

In implementing multi-factor authentication (MFA) we’ve increased the amount of work the Bad Guys need to do in order to access my Special Library: Perhaps they’ve already done some work (albeit only a little) to get that Something I Know, but now they have to either acquire the Something I Have or convincingly impersonate me*. These days, the Bad Guys are in business, and now it suddenly costs more to access my Special Library — especially considering many criminal gangs operating in this space seem to be based overseas. It may be cheap for them to send a few emails and phish my password, but it’s probably much more expensive to send someone to steal something from me (such as my smartphone). At this point, most run-of-the-mill Bad Guys move on to softer targets. This is not to say no one will ever expend significant effort to target you specifically, but the likelihood is lower (see ego-deflating “it’s not about you” commentary, above) and information security is a game of reducing or minimizing risk; we can very rarely eliminate risk entirely.

* We’re not talking about accents and disguises, here; they’d need to “impersonate me” in a way that computers care about — mostly high-contrast features of my person which sensors can pick up in either the visible or infrared spectra, e.g. the patterns of blood vessels in one of my hands or on one of my retinas. Read up on biometric authentication for more information.

Additionally: Recall that the main problem with the password all by itself is that it it reusable. It would be best if our second authentication factor took care of changing itself after each use. The Duo smartphone app does this for me. It’s something I have, and there are machinations behind the scenes which ensure each access token is usable only once. In other words, if someone somehow intercepts my password and my Duo access token as I’m using them, they can not use what they’ve captured over and over again to access the Special Library.

So I can ditch my password now and just use this other thing?

No, not yet. If we did that, someone with the means to steal (or even borrow) your phone could access your Special Library using only Duo Mobile. You want (at least) two factors working together.

Can’t I just do “Security Questions” instead?




So, this is it, right? Problem solved, right? No more annoying security things to do after this one?

Sadly, it’s not likely to be the great Eternal Security Silver Bullet everyone hopes for. (Nothing is.)

Multi-factor authentication improves our protections tremendously over the lowly (and lonely) password, and will probably be enough of a deterrent to drive cost-conscious Bad Guys away from you and UVM (for now) in search of easier pickings. But defending UVM’s community from these attacks mirrors any other parasite-host relationship: As we (the host) improve our defenses, the Bad Guys (the parasites) will improve their attacks. As a famous monarch once said, “Now, here, you see, it takes all the running you can do, to keep in the same place.

Is there anything else I need to do?

If you don’t already have a strong passcode or biometric (like the fingerprint readers on various Android devices or Apple’s TouchID) protecting your mobile device, now is the time. Additionally, Duo Mobile defaults to allowing anyone in possession of the device to approve login requests without unlocking that device: It would be prudent to disable that feature.

Finally: Be suspicious of any Duo request that shows up when you’re not expecting it. That could be a sign that someone, somewhere has captured your password and is trying to use it right now. Your last line of defense between that Evil-Doer and your Special Library is Duo Mobile’s red Deny button. If you Approve unexpected requests, you could be letting the Bad Guys in — and all this work was for naught.

ETS’s official documentation on multi-factor authentication is available at https://go.uvm.edu/mfa and https://go.uvm.edu/mfafaq.

If you have questions or concerns, email them to iso@uvm.edu.

Sam Hooker, for the Information Security Operations Team

Email – take it or leave it?

October is National Cyber Security Awareness Month. This is the first of four timely tips based on current hot topics at the university.

Email – take it or leave it?
Email is a useful tool for communication but is also the most popular way that problems can be easily brought into our University Community. Some quick tips to protect yourself, your data, and your reputation as well as that of the University are:

  • Be suspicious – Does it sound too good to be true? It is. Does it feel like you are being excessively pressured? You are. Does it sound weird, look weird, have grammar or spelling mistakes? It’s a fake.
  • Think About the Link – email links that go to strange places are the quickest way to get someone to go to an illegitimate site and mistakenly enter their credentials. Hover over the link (but don’t click) and see if it really goes to a uvm.edu site. Many times they don’t and should be reported as phish.
  • Attachments – were you expecting that email with a document from that person? Lots of bad software can come into our community through attachments. Your best bet is to not open or forward an attachment that you were not expecting.
  • Report it – think you just received a phish or scam? Report it by sending the message as an attachment to abuse@uvm.edu
  • Call – if you can’t tell whether a message is real or not, go for the low tech solution and call the sender by independently finding their phone number via their official website (don’t use the one that was sent in the email message!)

Hopefully tips like these will help you stay safe at home or work!

Ransomware Alert

A new form of malware is making its way to the University of Vermont: Ransomware is a particular form of malicious software which prevents you from accessing your own data.  Once the software has locked down any data to which you have access, it demands that you pay a ransom in order to have access restored.

To avoid ransomware and/or reduce its impact, take the same precautions you’re already taking to avoid malicious software attacks:

  • Make sure all critical files are backed up. If you use files.uvm.edu, data is already backed up for you. However, anything stored on your desktop or laptop hard drive, removable media, or other file services could be at risk and should be backed up before you suffer an attack.  If you are unsure about backups, check with your local IT person.
  • Slow down and scrutinize all email with attachments.  Are you expecting this particular email and this specific attachment? If in doubt, call the sender and ask.
  • Disable macros when opening Microsoft Office documents (Word, Excel, etc.). Most files will work without them. Seek help, otherwise.
  • If you receive an email from yourself with an attachment, and you do not recall sending the email, do not open the attachment. This trick has been a particular favorite in cases we have observed.

If you think you may be the victim of a ransomware attack, take the following steps:

  • Shut down your machine and disconnect from the network to limit the scope of damage.
  • Do not pay the ransom. There’s no guarantee that paying will get your data back.
  • Contact your local IT person. They will help you triage the problem and will escalate to the Information Security Operations Team as appropriate.

Enterprise Technology Services continues to update its safeguards against these attacks and others but the malware changes rapidly and can sometimes evade detection long enough to arrive in your Inbox. Your vigilance is our last line of defense against this kind of attack.

If you have questions or concerns, get in touch with the Information Security Operations Team at iso@uvm.edu.

Income Tax Fraud: How to Protect Yourself

Nationwide, many taxpayers have attempted to file their federal and state income tax returns, only to find out that criminals have already filed fraudulent returns and claimed refunds.  The Vermont Department of Taxes explains:  

Refund fraud occurs when a criminal uses stolen identification of a taxpayer, including Social Security Number, to create a phony return.  Often the criminal will use software to generate fraudulent returns in multiple states using the same stolen identification. Identity theft is a well-known problem, and can result from a data breach, scam, or loss of a wallet.

Last year, the IRS reported 875,000 cases of tax identity theft, and news reports indicate that fraud continues at a high rate this tax season.   UVM is aware of fewer than two dozen employees who have been victims of this type of fraud.  There are numerous potential sources of the personal information needed to file a tax return, and investigations into the cases reported by UVM employees, which are continuing, have not shown evidence of a compromise of UVM databases or information systems.  Stolen personal information, such as Social Security numbers stolen in widely reported corporate breaches, is readily available in underground marketplaces, and finding additional information such as employer EINs is facilitated by free online databases.  

How to Protect Yourself

If you’re notified by the IRS or a state tax department that someone has filed a fraudulent tax return in your name, take these steps to  resolve the issue and protect yourself: 

  • Follow the steps suggested by the IRS and the Vermont Department of Taxes, including: 
    • File a report with law enforcement (your local police department) 
    • File a complaint with the Federal Trade Commission 
    • Respond immediately to any IRS notice 
    • Complete IRS Form 14039, Identity Theft Affidavit 
    • Continue to pay your taxes and file your tax return, even if you must do so by paper 
    • Contact one of the three major credit bureaus to place a fraud alert on your credit records 
    • Notify UVM’s Information Security Operations Team at iso@uvm.edu, or UVM Police Services 
  • You may also want to: 
    • Contact your financial institutions, and close any accounts opened without your permission or tampered with
    • Check your Social Security Administration earnings statement annually 

If you’ve been notified by a company or organization that your personal information has been compromised, even if you’re not a victim of tax return fraud, follow the steps above with the exception of the IRS-specific items.  

Additional sources of information and guidance: 

Identity Theft (UVM Police Services)

Tax-Related Identity Theft (Federal Trade Commission)

What to Do if Someone Has Already Filed Taxes Using Your Social Security Number (Intuit) 

IRS Tackles Tax Identity Fraud (Wall Street Journal) 

IRS Struggles to Help Victims of Identity Fraud (Fiscal Times) 

Please contact the Information Security Operations Team at iso@uvm.edu with any questions, concerns, or suggestions.  

Skip to toolbar