• IT@UC Knowledge Base

 Compromised Email Guide

 Instructions for what to do if you believe your University email account has been compromised.

Compromised email accounts are on the rise every day. Most email account holders do not know that their email accounts have been compromised until it is too late. This article will present some signs that your email account has been compromised, and information on how to avoid compromising your email account.
 

Phishing Attempts
Phishing attempts are the most common ways that a user’s account can become compromised. Typically, these attempts will stem from other users whose accounts have been compromised. Most attempts will notify the receiver of something important that requires immediate action, for instance that either their password is out of date, or that their mailbox quota has been exceeded.

 

 

Consider the following when you receive such notices:

1.      Check the sender address. If these messages do not appear to come from the IT@UC Helpdesk, or Enterprise Collaboration Services, then you should disregard the request, and immediately send it to abuse@uc.edu.

2.      Check the link. Sometimes it is possible for the sender to attempt to forge the header information to make it appear that it is coming from a specific sender address (i.e. Helpdesk). These attempts will usually provide you a URL to “login” to a form. What you are actually doing is handing off your credentials to a document store to be used later in order to access your account. When using Outlook Web Access, you can check the URL for its validity as a hyperlink from UC’s domain by right clicking on it in your browser, and selecting Inspect Element.

 

3.      You will see HTML code for the URL provided. In this case, you can see that the URL points to a cyber-criminal’s address.

 


I provided my credentials to a form like the example above – what should I do?
If for any reason, you unintentionally provided your username or password to a phishing attempt you should take the following action(s):

A.      For Students using Office 365:

1.      Log into Password Self Service at https://www.uc.edu/pss and change your password immediately using the Forgotten Password option. If you have trouble doing so, please contact the IT@UC Helpdesk at (513)556-4357.
NOTEIf you use the same credentials for online banking and other websites, we strongly suggest that you update your credentials on these websites as well.

2.      After changing your password, log into your email account, then:

o   Click the Gear icon in the upper right hand corner

o   Under Your app settings, click Mail

  


3.      Check Account Forwarding

o   Under Accounts in the left navigation, click the Forwarding link. 

o   Check your email account for any forwarding to email accounts that do not belong to you.

o   If there is an account present that does not belong to you, remove the address from this field, select Stop Forwarding, and save your options.

 


4.      Check Forwarding Rules

o   Under Automatic Processing in the left navigation, click the Inbox and sweep rules link.

o   Check for any forwarding rules that have been set up on the account.

o   If there are rules present that you are uncertain that you set up, or if there are rules re-directing to an external email account that does not belong to you, remove these rules and save your options.




5.      Check your Signature

o   Under Layout in the left navigation, click the Email signature link.

o   Check for any information that may appear to have not been added by you. Some intruders create an email signature on your account, so that every time you send an email, a URL is provided for a user to click on.

o   If you find any signature information that should not be in this field, remove it and save the changes.




6.      Check Deleted Items

o   Return to your Inbox

o   Right click on the Deleted Items folder in the left navigation, then select Recover deleted items… Here you will be able to restore items that may have been deleted by the intruder, or messages that are removed from the server by a POP/IMAP client.




B.      For Exchange Users:

1.      Log into Password Self Service at https://www.uc.edu/pss and change your password immediately using the Forgotten Password option. If you have trouble doing so, please contact the IT@UC Helpdesk at (513)556-4357.
NOTEIf you use the same credentials for online banking and other websites, we strongly suggest that you update your credentials on these websites as well.

2.      After changing your password, log into your Exchange email account at https://www.ucmail.uc.edu

3.      Click the Options link in the upper right hand corner, then click See All Options.




4.      Check Inbox Rules

o   In the left navigation, click Organize Email

o   In the top navigation, click Inbox Rules

o   Check for any forwarding rules that have been set up on the account.

o   If there are rules present that you are uncertain that you set up, or if there are rules re-directing to an external email account that does not belong to you, remove these rules.



5.      Check your Signature

o   In the left navigation, click the Settings link.

o   In the top navigation, click the Mail link.

o   Check for any information that may appear to have not been added by you. Some intruders create an email signature on your account so that every time you send an email, a URL is provided for a user to click.

o   If you find any signature information that should not be in this field, remove it and save the changes.



6.      Check Deleted Items

o   Click on the Mail link in the upper left hand corner to return to your Inbox.

o   Right click on the Deleted Items folder in the left navigation, then select Recover deleted items… Here you will be able to restore items that may have been deleted by the intruder, or messages that are removed from the server by a POP/IMAP client.


Page Content

Rate this article - 1 to 5 Stars
Note: you must be signed in to use this feature