Here are some best practices to follow to stay safe and secure, and avoid becoming the victim of the next phishing attack.
Best Practice #1 - Avoid phishing scams
If you receive an email that looks suspicious, here are some things to help you determine if the message is legitimate or spam:
- Examine suspicious messages from a computer: the condensed layout in mobile apps makes it very difficult to examine messages from your phone.
- Examine spelling and grammar: phishing emails typically have misspelled words and poor grammar.
- Do not click on suspicious links: Avoid clicking on links or attachments within emails unless you are certain of their authenticity. Hover over links to view the destination URL before clicking, as phishers often use deceptive links that appear genuine at first glance.
- Watch out for emails that make threats (e.g. "failure to upgrade your email account will lead to the closure of your email account"), ask for personal information like your password, or promise money!
- Report suspicious emails: When in doubt, just delete the message or forward it to the IT Help Desk (ithelpdesk@buffalostate.edu) for examination.
Best Practice #2 - Change your passwords periodically
If you believe that you were the victim of a phishing scam, you should change your password immediately! Doing so will prevent the criminals from accessing your account. Even if you weren't the victim of a phishing scam, it's a good idea to change your passwords periodically anyway, though this is less important when using very long (15+ character) passwords.
Best Practice #3 - Create secure passwords
Your Buffalo State Network password must be at least 15 characters long. The longer the password the better. Avoid creating passwords that have information that can be associated with you in some way (e.g. names of pets, names of children, social security numbers). Try using a pass phrase instead of a password (e.g. "ILoveBostonCreamDonuts").
Best Practice #4 - Don't use the same password for everything
Many people use the same password for everything, which is extremely insecure. Think about it - if a hacker obtains your Buffalo State password, they won't just try and access your Buffalo State accounts. They'll also try to use these same credentials to access more lucrative sites, like an online bank account or a shopping website that might have your credit card information stored. By using different passwords for different sites, you limit the hacker to only "unlocking one door" if a password is stolen, rather than "unlocking all the doors."
Best Practice #5 - Don't use your Buffalo State email address to register for outside services
We recommend against using your Buffalo State email address to sign-up for outside services such as shopping or social media accounts. In rare cases, a service may require a .edu email address to qualify for a service – if you do use your Buffalo State email address for any outside services, do NOT also use your campus password.
Best Practice #6 – Use an Authentication App
We strongly recommend using an authentication app as your primary verification method for multi-factor authentication. Microsoft Authenticator is the app that is officially supported by Buffalo State. In addition to using the app, you should set up at least one backup verification method (e.g. text or call to your phone). In addition to pairing your Buffalo State account, you can also use an authentication app, like Microsoft Authenticator, to set up other non-Buffalo State accounts that require two-step verification (e.g. your bank account). Depending on your device you can also set it up to require biometric authorization (e.g. finger print, facial scan). See Set up the Microsoft Authenticator app for network logins to get started. It's also possible to use other authentication apps like Google Authenticator, which may have similar functionality, but beware of ones that you are not familiar with or ones that aren't from reputable sources.
With all Multi-Factor Authentication options, only confirm a sign-in if you're currently trying to sign in, and never provide a single-use sign-in code to anyone else if they ask for it.