Educational institutions across the United States have been victims of thousands of data breaches since 2005, leaking more than 37 million records, according to a 2024 report by Comparitech. According to that report, 60% of these attacks occurred at colleges or universities.
Another 2024 study completed by US News reported that 61% of US adults have had personal information leaked through a data breach, while 44% said their personal information has been hacked multiple times.
BYU illustration major Grace Triplett, a graphic designer for BYU’s Office of Information Technology, expressed her frustration in watching people become manipulated online by scams.
“I’ve had family members that have fallen victim to phishing scams before,” Triplett said. “I want to make sure that other people don’t have that situation happen again and make sure that people are well educated on this subject and can protect themselves.”
The Church Education System Security Operations Center contains several resources and tips for students and employees to protect their personal information from possible hackers.
Creating safe passwords
Brian Anderson, training and communications manager at the BYU Office of Information Technology, recommended having different passwords for each account.
“Don’t make your password for your school sign-on the same as your bank, or socials, or any other account,” Anderson said. “If someone discovers your password to one, they’ll have access to everything with the same password.”
Anderson also recommended using a passphrase as a longer, memorable password. To create a passphrase that will be difficult for a hacker to crack, an individual should take three to four unrelated words, combine them and add numbers and special characters.
Anderson said password managers can help to store passwords. All an individual would need to remember is the master password for the manager.
According to the CES Security Operations Center, weak passwords put an individual at a greater risk of being hacked. Passwords should be around 16-20 characters, uppercase and lowercase letters, numbers and symbols. These passwords should not include personal information or easy-to-guess combinations such as 1234.
Individuals can check the amount of time it may take a hacker to hack a password on Random-ize.
Handling phishing attempts
Phishing, according to CES Information Security, refers to the ways in which a scammer or hacker try to steal personal information such as passwords, financial data, medical or government records, student/employee IDs and social security numbers. Hackers may use fake emails or websites that could encourage an individual to give up personal information. If the hacker succeeds, the hacked individual could lose finances, have their data compromised or their identity stolen.
CES Information Security recommended ten steps for students if a student receives an unsolicited message:
- 'Take a moment of caution before responding.
- Note if there seems to be anything out of the ordinary. Professional businesses avoid grammatical or spelling errors in their emails, so emails with grammar or logo/branding mistakes may be phishing.
- Messages that create a sense of urgency may be dangerous, such as ones that cause an individual to act before a sale ends or an account closes.
- Even if an email seems like it is coming from a trustworthy organization such as a bank or government institution, be cautious of messages that ask for personal information urgently.
- Check URLs for unusual spelling or long domains. You can view the real URL that you are clicking by hovering over the link on a laptop or computer or by pressing and holding the link on a mobile device.
- Does the email address of the sender match the organization? Misspellings or extra characters in the address may signal suspicious activity.
- Has the sender provided additional contact information such as a phone number or address? Research the source before responding.
- Do not reply to suspicious emails.
- Ask a person directly about the email through a different form of communication to confirm that the email is really from that organization.
- Report any suspicious emails to phishing@byu.edu.'
Further information about these ten steps and steps for how to report suspicious emails can be found on the CES Information Security website.
Don’t click on anything. Don’t click on links, don’t click on emails. If something even seems vaguely suspicious, don’t interact with it and immediately report it to BYU phishing,” Triplett said. “Even if you open up the email, that can sometimes be dangerous even if you’re not clicking on anything within the email.”
If a suspicious email seems to have been sent by someone one knows personally, Triplett also recommended texting, talking in person or using another form communication to confirm that the email was actually sent by that person.
Anderson suggested students and employees of CES campuses check out the CES Information Security website. He said the site was completely produced by student employees at the Office of Information Technology.
“Our goal is to make the important topics of cyber security educational and enjoyable,” Anderson said. “We hope the videos, articles, and tips will help make keeping ourselves protected fun and engaging.”
Triplett has created graphics, written articles and made videos for the CES Information Security website, focusing on phishing and tips to keep oneself safe online.
“The world is kind of out to get you,” she said. “We just want to make sure everybody is aware of that and knows how to protect themselves.”
Other security incidents can be reported by contacting the Security Operations Center at cessoc@byu.edu, 801-422-7788 or through the Technology Support Portal.