2-Step Verification

This week’s topic is 2-Step Verification.

The Tip

It’s easier than you think for someone to steal your password

Any of these common actions could put you at risk of having your password stolen:

  • Using the same password on more than one site
  • Downloading software from the Internet
  • Clicking on links in email messages

2-Step Verification can help keep bad guys out, even if they have your password.

As an added bonus, get a free coffee on UTS when you enable 2-Step Verification. Be fast, supplies of UTS Tim Cards are limited.

The Detail

If you don’t have it set up, take the next few minutes to add one of the best defences against unauthorized email access. It’s easier than you think:

Note: This feature requires you to use your mobile phone in order to receive codes via text, voice or app


Passwords vs Passphrases

Welcome to the first in what we hope to make a weekly series of CyberSecurity tips. This week’s topic is Passwords and Passphrases.

The condensed version is, “passwords are bad, passphrases are better”. This is a ‘b@dPas3Word!’. ‘This is a mediocre passphrase’. ‘Good Passphr@se th1s is’.

The longer version below is taken directly from https://www.passworddragon.com/password-vs-passphrase. In a nutshell, don’t use movie titles or famous quotes for passphrases. Random groupings of words are better. To craft the best passphrase, make sure they;

  • contain at least 3 of the following: Number, Special Character, Uppercase letter, Lowercase letter
  • are at least 9 characters or longer (the longer the better)
  • include spaces
  • are changed bi-annually
  • do not recycle passwords and use unique passwords on each site

passwords vs passphrases comic

Read more ›

CyberSecurity Site in Development

We’re working on it. Watch for big things to come!

DDE Attack

You may or may not be aware of a new type of attack potential called a DDE attack – a way of launching malware from a web download, an email attachment, or even directly from the body of an Outlook email message or calendar invite.

Just say no

Attachments, emails and calendar invites pop up two giveway warning dialogs before triggering a DDEAUTO attack; if you say “No” at either dialog then you prevent the attack.

First, you’ll see a warning like this when DDE is used:


Clicking “No” will stop a DDE attack from running.

If you click “Yes” at the first dialog, you will see a second dialog warning that a command is about to be run (the text in parenthesis and the program names referenced at the end will vary):


Again, clicking “No” will stop the attack.

For more information, please refer to the following page and video

Office DDE attack works in Outlook too – here’s what to do


Phishing Scam Alert: OneClass Chrome Extension

Be on alert for the OneClass Chrome Extension.  It is a phishing scam where once the extension is installed, it will attempt to send an email on behalf of the user and collect Campus-Wide Login (CWL) credentials.

How the phishing works:

Students will receive an email that includes a link to install the OneClass Chrome Extension.  During the installation, the user will be prompted to accept its permission of “Read and change all your data on the websites you visit.” If the user accepts, a button will be created within Connect pages to “Invite your Classmates to OneClass.”

The plugin in the exension will also attempt to send an email to everyone in the user’s class to promote the OneClass plugin. The plugin contains a code that will attempt to collect user credentials (CWL username and password).

A copy of the phishing ​email is below:

“Hey guys, I just found some really helpful notes for the upcoming exams for <University Name> courses at <URL removed by UBC Information Security>.  I highly recommend signing up for an account now that way your first download is free!”

If you receive this phishing email, do not install the extension or click on any links on the email.  Please delete the email.

If you already installed the extension, below are the instructions to remove the extension:

  1. Open up your Chrome Browser
  2. Select the 3 vertical dots in the top right-hand corner
  3. Select Settings
  4. Select Extensions in the top left-hand corner
  5. Click the Trashcan beside the “OneClass Easy Invite” extension
  6. Select Remove on the Confirm Removal Popup
  7. Close all Chrome windows and go back to the Extensions page to verify the extension has been removed (Steps 1-4)

Once you have removed this extension, please go to webadvisor.nipissingu.ca to reset your Nipissing CWL password.

If you have any questions, please contact techserv@nipissingu.ca​


Cyber Security Reminder, Be conscious of new phishing attempts

There have been reports of increased email phishing attacks on Canadian Universities. Please take extra care to verify the authenticity of any email asking for personal information or wanting you to click on a link. If in any doubt please call the Nipissing UTS Helpdesk at x4342 or email techsrv@nipissingu.ca

  1. Faculty are being impersonated, and sending messages that were somewhat ‘context appropriate’ to a number of people, directing them to a download link to pick up a document.
  2. Staff and Faculty are being targeted by unknown malefactors in a University Employee Payroll Scam.  This scam has already made its rounds in the United States and is now targeting Canadian Universities.

    University employees are receiving fraudulent e-mails indicating a change in their human resource status. The e-mail contains a link directing the employee to login to their human resources website to identify this change. The website provided appears very similar to the legitimate site in an effort to steal the employee’s credentials. Once the employee enters his/her login information, the scammer takes that information and signs into the employee’s official human resources account to change the employee’s direct deposit information. This redirects the employee’s paycheck to the bank account of another individual involved in the scam.

    Consequences of this Scam:

    • The employee’s paycheck can be stolen.
    • The money may not be returned in full to the employee.
    • The scammers can take the employee’s log-in credentials and attempt to log into other accounts that belong to the employee.
  3. Students are being victimized by the ‘Work-from-Home’ Scam.  The ‘Work-from-Home scam asked students to set up a bank account (on behalf of the malefactor) and send the details away.  The accounts are used to transfer money and the victims are responsible for the financial liabilities.  This scam is a form of identity theft.


World Backup Day – March 31st

World Backup Day is a global initiative to remind and teach people to properly and safely backup their files. At Nipissing University, we have our shared and home directories backed up daily to keep all our hard work safe.

For your personal documents and family photos, you may find the information at worldbackupday.com helpful. No matter which method you choose, we recommend you use strong passphrases to secure all your information.


Virus-Hoax-Spam – Fw- new message

Some of you may have received an email message from “Student Involvement” with the subject line Fw: new message.   The message asks you to click the link provided to open a message.  THIS IS A HOAX.

Never respond to emails, open attachments, or click on suspicious links or unknown senders asking for personal information.

Always remember that UTS will never send you unsolicited emails asking for confidential information, such as your password or account details. We will never ask you to validate or restore your account access through email or pop-up windows.

If you have entered personal information after clicking on a link or suspect fraudulent behavior, please call the Help Desk immediately at 4342.

Spam Alert – IT Service Email

The email many of us received this morning titled: “IT Service” asking to verify your account, is not a legitimate request from UTS. Please do not respond to or follow any links in this or similar messages.

UTS will never send you unsolicited emails asking for confidential information, such as your password or account details. We will never ask you to validate or restore your account access through email or pop-up windows.

If you have entered personal information after clicking on a link or suspect fraudulent behavior, please call the Help Desk immediately at 4342.


Warning- Text-Sms Phishing

Some members of the Nipissing University community have reported that they have received phishing scams as text messages. Please exercise the same caution you would with your email when you receive texts with links claiming to be from banks or other service providers. When in doubt, contact the organization using trusted contact information from the official source to verify the message is legitimate.

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.


Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Brantford Campus
50 Wellington St.
Brantford, ON, Canada
N3T 2L6
Tel: 519.752.1524
Fax: 519.752.8372