Skip to main

COVID -19 Update

For the latest information about Mercy’s COVID-19 policies click here.  STUDENTS: To upload your vaccination documentation, click here.  

Major Vulnerability in Microsoft Products (Zero Day)

April 2022

The Office of Information Technology (OIT) has become aware of zero-day vulnerabilities impacting multiple Microsoft (Windows Operating System) Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

What do I need to do? 

OIT is automatically applying these critical updates to all College computers, including desktops and laptops. OIT recommends that College Community users take a few minutes to restart their college computers to ensure that the needed updates have been applied successfully. 

To check manually for updates, please Select Start -> Settings -> Update & Security -> Windows Update -> Check for updates (or install now)

OIT also recommends that College Community users apply these updates to their personal Microsoft Product(s) including their Windows Computers, Windows Phones, Surface Tablets, and other Windows computing devices as soon as possible.  

To update Microsoft devices, please follow the steps listed below: 

Multiple Vulnerabilities in Apple Products

April 2022

Dear College Community,

Security Vulnerability

The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

What do I need to do? 

Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

 

Safety Tips (Office of Campus Safety)

March 2022

As everyone is aware, crime in our area, particularly within our mass transit systems, has become a growing concern to many.  The Department of Campus Safety offers the following tips to help keep you safe:
 
                  -Be aware of your surroundings at all times, especially if using an electronic device.  Use well populated and well-lit streets.  When walking in desolate areas or at off hours, do so in groups.   If you suspect that you are being followed, stay away from deserted blocks and move towards areas where there are people or enter the nearest open store.
 
                  -If going out with a friend(s), stick together and do not leave anyone by themselves, particularly in bars and clubs.
 
                   -Remember that cellphones and electronic devices are prime targets for thieves. 
 
                    -Refrain from wearing headphones on the subway or bus.
 
                  -Never carry your wallet in your rear pants pocket or in the outer compartment of your backpack.
 
                   -Cover jewelry, turn stone rings toward the palm side of your hand.
 
                   -Sit away from the subway car door to avoid a purse or chain snatch. 
 
                   -Use only subway entrances marked by a green indicator light, where there is a clerk present 24 hours a day.
 
                   -Have your money or metro card available ahead of time.
 
                   -Use marked and designated waiting areas in subway stations during off peak hours.
 
                   -Ride in the conductor's car during off peak hours.
 
                   -Stand back from the edge of the platform and wait close to the wall if available.
 
                   -Sit near the front of the bus.
 
 
Thank you for your attention.

Office of Campus Safety

Alert – Risk of Cyber Attacks (Russia cyber warfare)

March 2022

The Office of Information Technology (OIT) is closely monitoring the situation unfolding in Ukraine. U.S. government and security professionals are urging Americans to take steps to protect themselves from a higher risk of Russian cyberattacks following the invasion of Ukraine.

The U.S. Cybersecurity & Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security has issued a warning to businesses that says they should be prepared to defend against cyberattacks originating from Russia. “Every organization—large and small—must be prepared to respond to disruptive cyber activity,” the agency says in its warning.

To keep Mercy faculty, staff, students, and data secure and protected, OIT advises the College Community to stay on alert and offers the following Cyber Hygiene recommendations:

•    Turn on multifactor authentication (MFA): Use multifactor authentication on all your accounts, including email, social media, shopping, and financial services, for extra protection. To turn on MFA on personal accounts, please see the following links:
o    Google 
o    Apple
o    Microsoft
o    Amazon
o    Yahoo Email
o    Facebook, Instagram, WhatsApp
•    Update everything, including software: Update antivirus and malware software, operating systems and applications, especially web browsers, on all devices including mobile phones, tablets, desktop computers and laptops. Turn on automatic updates.
•    Think before you click: Before clicking on links or attachments or downloading files, take a beat. Most cyberattacks start with a phishing email, which looks legitimate but isn’t and can be used to steal your passwords, Social Security number, credit card numbers and other sensitive information or to run malicious software known as malware. 
•    Use strong, unique passwords: Protect all your account credentials including username and password. Use strong passwords and don't reuse them. It is best to subscribe to a password manager to generate and store unique passwords. 
•    Don’t believe everything online: “All sides in any conflict will also be working to use information streams to their advantage. People should be very cautious about the information they share,” said Jessica Beyer, principal research scientist and lecturer at the University of Washington.

For more information (and Cyber Security Tips & Tricks), please visit Mercy’s Information Security Resource Center at https://www.mercy.edu/information-technology/information-security

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to the OIT Helpdesk by emailing helpdesk@mercy.edu or calling 914-674-7526.

Cybercriminals Tampering with QR Codes to Steal Victim Funds

January 2022

Dear Mercy Students, Faculty, and Staff:

             Please see below for a Public Service Announcement from Mercy College and the FBI:

Cybercriminals Tampering with QR Codes to Steal Victim Funds

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

A QR code is a square barcode that a smartphone camera can scan and read to provide quick access to a website, to prompt the download of an application, and to direct payment to an intended recipient. Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use.

Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

Businesses and individuals also use QR codes to facilitate payment. A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender's payment for cybercriminal use.

While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer.

TIPS TO PROTECT YOURSELF:

  • Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
  • If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
  • Do not download an app from a QR code. Use your phone's app store for a safer download.
  • If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
  • If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
  • Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.

Avoiding Holiday Scams

November 2021

Dear Mercy Students, Faculty, and Staff:

             Please see below for a Public Service Announcement from Mercy College and the FBI:

Holiday Scams: 

When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true. Do your part to avoid becoming a scammer’s next victim.

Every year, thousands of people become victims of holiday scams. Scammers can rob you of hard-earned money, personal information, and, at the very least, a festive mood.

The two most prevalent of these holiday scams are non-delivery and non-payment crimes. In a non-delivery scam, a buyer pays for goods or services they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

According to the Internet Crime Complaint Center’s (IC3) 2020 report, non-payment or non-delivery scams cost people more than $265 million. Credit card fraud accounted for another $129 million in losses.

Similar scams to beware of this time of year are auction fraud, where a product is misrepresented on an auction site, and gift card fraud, when a seller asks you to pay with a pre-paid card.

If You’ve Been Scammed 

  • Call your credit card company or you bank. Dispute any suspicious charges.
  • Contact local law enforcement.
  • Report the scam to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.

Tips to Avoid Holiday Scams 

Whether you’re the buyer or the seller, there are a number of ways you can protect yourself—and your wallet.

Practice good cybersecurity hygiene. 

  • Don’t click any suspicious links or attachments in emails, on websites, or on social media. Phishing scams and similar crimes get you to click on links and give up personal information like your name, password, and bank account number. In some cases, you may unknowingly download malware to your device. 
  • Be especially wary if a company asks you to update your password or account information. Look up the company’s phone number on your own and call the company.

Know who you’re buying from or selling to.

  • Check each website’s URL to make sure it’s legitimate and secure. A site you’re buying from should have https in the web address. If it doesn’t, don’t enter your information on that site.  
  • If you’re purchasing from a company for the first time, do your research and check reviews.
  • Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace or auction website, check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.
  • Avoid sellers who act as authorized dealers or factory representatives of popular items in countries where there would be no such deals.
  • Be wary of sellers who post an auction or advertisement as if they reside in the U.S., then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.
  • Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Be careful how you pay.

  • Never wire money directly to a seller. 
  • Avoid paying for items with pre-paid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item. 
  • Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Monitor the shipping process.

  • Always get tracking numbers for items you buy online, so you can make sure they have been shipped and can follow the delivery process.
  • Be suspect of any credit card purchases where the address of the cardholder does not match the shipping address when you are selling. Always receive the cardholder’s authorization before shipping any products.

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to Campus Safety by emailing safety @ mercy.edu or the OIT Helpdesk by emailing helpdesk @ mercy.edu or by calling 914-674-7526.

              And remember: If it seems too good to be true, it probably is.  Enjoy the Holidays!

 

Konrad Motyka

Mercy College

Executive Director for Campus Safety &

Emergency Management

Multiple Vulnerabilities in Apple Products

September 2021

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 

What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 
•    Update the software on your Mac - Click here 
•    Update your iPhone, iPad, or iPod touch - Click here 
•    Update your Apple Watch - Click here
•    Update your Apple TV - Click here
•    Update your Windows iTunes – Click here

Alert – Major Vulnerability in Apple Products

September 2021

The Office of Information Technology Services has become aware of multiple vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for remote code execution. 
 

  • Safari is a graphical web browser developed by Apple, based on the WebKit engine.
  • watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
  • iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  • macOS Big Sur is the 17th and current major release of macOS.
  • macOS Catalina is the 16th major release of macOS.
  • macOS Mojave is the 15th major release of macOS.

What do I need to do? 

Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 

 

Major Vulnerability in Microsoft Products (Zero Day)

July 2021

The Office of Information Technology (OIT) has become aware of zero-day vulnerabilities impacting multiple Microsoft (Windows Operating System) Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

What do I need to do? 

OIT is automatically applying these critical updates to all College computers, including desktops and laptops. OIT recommends that College Community users take a few minutes to restart their college computers to ensure that the needed updates have been applied successfully. 

To check manually for updates, please Select Start -> Settings -> Update & Security -> Windows Update -> Check for updates (or install now)

OIT also recommends that College Community users apply these updates to their personal Microsoft Product(s) including their Windows Computers, Windows Phones, Surface Tablets, and other Windows computing devices as soon as possible.  

To update Microsoft devices, please follow the steps listed below: 

Fraudulent Unemployment Claims

RE: Fraudulent Unemployment Claims

The Office of Human Resources has become aware of a surge in fraudulent unemployment claims.

  • Please see notification from IRS click here.
  • New York State Police also warned of an uptick in fraudulent claims, click here and click here.
  • Bad actors Criminals are using stolen identities, likely stolen from previous breaches and systems.

We recommend college community members remain vigilant and use due diligence when browsing third-party sites, banks, financial institutions, and others.

  • Change password(s) for any personal and financial account(s) and monitor them closely for any suspicious activity. Password guidelines click here
  • Follow Information Security Tips on our website click here
  • Cyber Security Tips to Protect Privacy click here
  • Cyber Security Tips to Protect from Phishing click here

In addition, community members may want to do the following:

  • Place a free fraud alert on accounts with the three credit bureaus (Experian, TransUnion, and Equifax) click here
  • Getting a free credit report click here
  • Report any suspected identity theft to the FTC click here
  • File a report with their local police department, if you think you have been a target of Identify Theft

If you receive a notice of a fraudulent unemployment claim from the NYS DOL (Department of Labor), please visit the DOL website to report the fraudulent activity activity click here and FTC website click here. Please reach out to Human Resources hr@mercy.edu for any assistance.

 

Fraudsters Impersonating UNICEF Use Spoofed Emails & Fraudulent Checks to Defraud U.S. College Students for Financial Gain

The Department of Campus Safety and Office of Information Technology have been made aware of the following Alert:

References in this Academia product to any specific commercial product, process or service or the use of any corporate name herein is for informational purposes only and does not constitute an endorsement, recommendation, or disparagement of that product, process, service or corporation on behalf of the FBI. 

The FBI Miami, Tampa, and Jacksonville Field Offices, in coordination with the FBI Office of the Private Sector (OPS), prepared this Liaison Information Report to inform the education facilities sector of spoofed emails and fraudulent checks being employed by individuals impersonating employees of the United 
Nations International Children’s Emergency Fund (UNICEF) to defraud U.S. college students for financial gain. Recent reporting from the FBI’s Internet Crime Complaint Center (IC3) indicates fraudsters posing as UNICEF employees used a variety of tactics to obtain personally identifiable information (PII) from U.S. college students and, when successful, defrauded students of an average of $3,000 each.  

In most of these schemes, fraudsters sent an email to the student’s college email address, with the sender’s address typically appearing to originate from another student at their college, concerning an internship or part-time employment position with UNICEF. The fraudsters usually mailed checks with United States Postal Service (USPS) tracking to the students, containing their first paycheck and additional funds allegedly intended to purchase items for foster homes or orphanages on behalf of UNICEF.  After the students deposited the checks into a personal banking account, the fraudsters directed the students to purchase cryptocurrency or gift cards, or to otherwise transfer the funds to another financial account. Financial institutions later determined the checks to be fraudulent. Examples of these schemes impacting Florida college students included, but were not limited to, the following: 

•    In March 2021, a Florida college student received an email to their student email address regarding an internship opportunity with UNICEF to work from home, allegedly to purchase items for foster homes. Per the email’s instructions, the victim contacted a “director” who asked for personal information including the victim’s name, home address, and telephone number. About two weeks later, the victim received a cashier’s check which the victim believed was intended to purchase items for foster children. A day after depositing the check, the “director” instructed the victim via text message to purchase and then transfer bitcoins, as well as transfer $500 from a cash app, to other accounts. The victim’s financial institution indicated the check was more than likely fraudulent.

•    In March 2021, a Florida college student received an email to their student email address regarding a part-time job opportunity with UNICEF. The victim completed an application providing personal information including their social security number. Two weeks later, the victim received an email from a “supervisor” with a job offer and information advising the victim that they would begin receiving assignments shortly. The victim subsequently received a text message providing a USPS tracking number to track a package containing a check that allegedly was sent by the agency. The “supervisor” instructed the victim to deposit the check into a personal bank account and then to purchase six $500 gift cards. After each purchase, the “supervisor” asked the victim to take photographs of the receipt and gift card and send them to the “supervisor.” The victim later learned the check was fraudulent, after the gift cards had been redeemed. 

•    In March 2021, a Florida college student received an email from an alleged student regarding a professor who was seeking students who wanted to earn extra money working with UNICEF. The student contacted the “professor” via email and the two began corresponding about the job position. The “professor” then sent a text message to the student, advising a check was en-route and providing a USPS tracking number. While the student was waiting for the check to clear, the “professor” asked the student to wire the funds to the manager of a foster home. After the student had wired the funds, the student’s financial institution determined the check had been altered or was fictitious.

•    In December 2020, a Florida college student received an email from an alleged student attending the same college, regarding a part-time, remote position with UNICEF during the COVID-19 pandemic. The email instructed the student to contact another email address for more information. After contacting the indicated email address, the student received an application via an online Google Docs form. The application contained a job description and requested personal information including the student’s name, telephone number, and email address. The student then received a “welcome aboard” letter with the telephone number of a “contact supervisor.” The “supervisor” reached out to the student regarding a check that had been sent. Once the student received the check, the “supervisor” then sent instructions regarding which cards the student should purchase and to which addresses the student should send the cards.

Indicators 
The following indicators may assist in identifying related suspicious activities. These suspicious activities include but are not limited to any individual, group, or activity and should be observed in context and not individually. 

•    Unsolicited emails containing grammatical and spelling errors, requesting PII, or originating from domains that are not organization specific. A best practice would be to verify the authenticity of email addresses by contacting organizations through their official websites.

This Academia Product was disseminated from OPS’s Information Sharing and Analysis Unit. Direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office:  https://www.fbi.gov/contact-us/field-offices 

Alert – Major Vulnerability in Apple Products (Zero Day)

Alert – Major Vulnerability in Apple Products (Zero Day)

Security Vulnerability
The Office of Information Technology Services has become aware of multiple zero-day vulnerabilities impacting multiple Apple Products - known as CVE-2021-1782, CVE-2021-1870 & CVE-2021-1871. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

For more details on these vulnerabilities, please visit the Apple Security pages for the following products:
•    Xcode 12.4
•    iCloud for windows 12.0
•    iOS 14.4 and iPadOS 14.4
•    tvOS 14.4
•    watchOS 7.3
What is a “Zero-Day” Vulnerability? 
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

What do I need to do? 
Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 
•    Update the software on your Mac - Click here 
•    Update your iPhone, iPad, or iPod touch - Click here 
•    Update your Apple Watch - Click here
•    Update your Apple TV - Click here