Information Services > Security > News & Updates > Security Announcements

Security Announcements

[May 2021] HHS OCR Warning

​The HHS Office for Civil Rights (OCR) has issued an alert on postcards being sent to some health care organizations disguised as official OCR communications. The postcards claim to be a notice of mandatory HIPAA compliance risk assessment. The postcards prompt the recipient to visit a URL, call or email to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-govenmental web site marketing consulting services. Do not respond to this request.

Here is the message received from OCR:

Alert: Postcard Disguised as Official OCR Communication

OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment" and they are directed to send their risk assessment to  The link directs individuals to a non-governmental website marketing consulting services.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services.  This communication is from a private entity – it is NOT an HHS/OCR communication.  HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator's email address.  The addresses for OCR's HQ and Regional Offices are available on the OCR website at, and all OCR email addresses will end in  If organizations have additional questions or concerns, please send an email to:

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation. 

​[​May 2019] New Antivirus Solution

As part of our efforts to improve security of the University’s computing assets and data, Information Services will begin rolling out an improved antivirus solution to all university owned computers. The new solution is designed to provide considerably improved protection to campus computers, along with improved performance over the current antivirus solution (McAfee). Information Services will begin rolling this out across campus starting this week, and continuing over a two month period.  

For Windows users, this update will run as a background process without requiring any user interaction, so the change should be transparent for users. Mac users will see a pop up window which will guide them to complete the process. 

As noted in an announcement​ in November, Apple users must update to a supported version of the operating system in order to be supported by antivirus solutions at DePaul University.

Please forward any questions or concerns to the Technology Support Center (x28765) or Information Security (

[March 2018] Tech Support Fraud

​The FBI recently issued a Public Service Announcement warning of Tech Support Fraud.  This type of fraud consists of criminals purporting to be a technical support specialist (for instance, a Microsoft representative) through phone calls, email or website pop-ups which may lock a machine.  They then may attempt a variety of malicious actions, such as trying to trick the victim into downloading a malicious program, getting the victim to grant them full control over the victim's machine, or to get access to their credit card.

In general, the criminals will purport that there is something wrong with the victim's machine, when in reality, no problem exists.  After convincing the victim that there is something wrong, the criminal will offer to "fix" the problem, and guide the user through steps that will ultimately compromise the machine.

Legitimate technical support specialists will not contact users in an unsolicited manner.

If you come across this type of scam, please notify the Information Security team at

For more information, visit the FBI's Internet Crime Complaint Center's announcement at

[January 2017] DePaul University Employee Phishing Message

On January 23rd Information Services sent the following email to all employees. Please note that this is a legitimate email.

The Problem with Phishing
Everyone online these days is experiencing an increase in phishing scams in their inbox. At DePaul, we have seen a marked increase in phishing scams sent to a wide DePaul audience.  We see nonspecific, widespread attacks as well as extremely targeted phishing lures sent to specific members of our community, whom the malefactors have clearly researched before attacking. The purposes of the phishing emails vary – but the most common ones try to steal email or portal credentials, personal information and/or to deliver malware (including viruses and ransomware).
Phishing message quality ranges from clearly fake to extremely sophisticated, wherein the sender does an outstanding job of hiding the original source of the message and the links or attachments appear legitimate.
What We Need You to Do
Unfortunately, technology today has only limited mechanisms to detect and stop these messages from getting to your email box.  The best defense against such scams is for you to be educated on how to avoid becoming a victim. To that end, DePaul has contracted for its employees to take advantage of online education aimed at giving you information to be able to spot phishing attacks in your email and avoid compromising your personal information.
We strongly encourage you to take this brief online training.  Below you will find a link to your personal account at our security awareness education vendor where you can get started.  We have selected modules which we believe are especially relevant to the environment at DePaul and will be the most helpful.
[Personal link to training]
Please do not forward this email as it contains your personal link to the training.  You can also find this email at <> .  if you would like to confirm the validity of this email.
We appreciate your attention to this matter and we encourage you to email us if you have any questions at <>  <>  .
Information Services

[January 2016] Social Security Phishing Messages

We'd like to alert the DePaul Community to a malicious phishing message that many have received with the subject "Social Security Statement." The text of this email is an almost exact copy of the US government's email entitled "Social Security Statement" or "Annual Reminder to Review Your Social Security Statement".   The link in both messages looks the same, however if you hover over the links with your mouse you will be able to see the true destination URL.  This particular malicious message has a malware-infected document, while the government email will take you to    To be safe, it is always a good practice to type a URL into your browser rather than clicking on a link in an email.

As we head into tax season, we can all expect to see more scams and phishing messages with subjects related to taxes.  Please be very careful about clicking on links and in giving out personal information.  Another tax scam that has been on the rise in recent years has persons submitting their taxes only to find that identity thieves have beaten them to it. For that reason it's a good idea to file as early as you can, especially if you're expecting a refund.

As always, if you have any questions or would like confirmation on any particular email you receive, please contact the Technology Support Center at 312.362.8765 or email


[January 2015] FBI Issues University Employee Payroll Scam Alert

This month the FBI issued an alert regarding phishing attacks on University employees.  The text is below:

University Employee Payroll Scam

University employees are receiving fraudulent e-mails indicating a change in their human resource status. The e-mail contains a link directing the employee to login to their human resources website to identify this change. The website provided appears very similar to the legitimate site in an effort to steal the employee’s credentials. Once the employee enters his/her login information, the scammer takes that information and signs into the employee’s official human resources account to change the employee’s direct deposit information. This redirects the employee’s paycheck to the bank account of another individual involved in the scam. 

Consequences of this Scam:


  • The employee’s paycheck can be stolen.
  • The money may not be returned in full to the employee.
  • The scammers can take the employee’s log-in credentials and attempt to log into other accounts that belong to the employee.


Tips on how to Protect Yourself from this Scam:


  • Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses. Many of the scammers who send these messages are not native English speakers.
  • Roll your cursor over the links received via e-mail and look for inconsistencies. If it is not the website the e-mail claims to be directing you to then the link is to a fraudulent site.
  • Never provide credentials of any sort via e-mail. This includes after clicking on links sent via e-mail. Always go to an official website rather than from a link sent to you via e-mail.
  • Contact your personnel department if you receive suspicious e-mail.



If you have been a victim of this scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at Please reference this PSA number in your complaint. The IC3 produced a PSA in May 2014 titled “Cyber-related Scams Targeting Universities, Employees, and Students,” which mentioned the university employee payroll scam. The PSA can be viewed at


[January 2015] FBI Issues Warning of Scams Targeting University Students

FBI Warns of Fictitious ‘Work-from-home’ Scam Targeting University Students

College students across the United States have been targeted to participate in work-from-home scams. Students have been receiving e-mails to their school accounts recruiting them for payroll and/or human resource positions with fictitious companies. The “position” simply requires the student to provide his/her bank account number to receive a deposit and then transfer a portion of the funds to another bank account. Unbeknownst to the student, the other account is involved in the scam that the student has now helped perpetrate. The funds the student receives and is directed elsewhere have been stolen by cyber criminals. Participating in the scam is a crime and could lead to the student’s bank account being closed due to fraudulent activity or federal charges.

Here’s how the scam works:


  • The student is asked to provide his/her bank account credentials under the guise of setting up direct deposit for his/her pay.
  • The scammers will add the student’s bank account to a victim employee’s direct deposit information to redirect the victim’s payroll deposit to the student’s account.
  • The student will receive the payroll deposit from the victim’s employer in the victim’s name.
  • The student will be directed to withdraw funds from the account and send a portion of the deposit, via wire transfer, to other individuals involved in the scam.


Consequences of Participating in the Scam:


  • The student’s bank account will be identified by law enforcement as being involved in the fraud.
  • The victim employee has his/her pay stolen by the scammers utilizing the student’s bank account.
  • Without the student’s participation, the scam could not be perpetrated, so he/she facilitated the theft of the paycheck.
  • The student could be arrested and prosecuted in federal court. A criminal record will stay with the student for the rest of his/her life and will have to be divulged on future job applications, which could prevent the student from being hired.
  • The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank.
  • This could adversely affect the student’s credit record.


Tips on how to Protect Yourself from this Scam:
  • If a job offer sounds too good to be true, it probably is.
  • Never accept a job that requires the depositing of funds into your account and wiring them to different accounts.
  • Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses. Many of the scammers who send these messages are not native English speakers.
  • Never provide credentials of any kind such as bank account information, login names, passwords, or any other identifying information in response to a recruitment e-mail.
  • Forward these e-mails to the university’s IT personnel and tell your friends to be on the lookout for the scam.

If you have been a victim of this scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at​. Please reference this PSA number in your complaint. The IC3 produced a PSA in May 2014 titled “Cyber-related Scams Targeting Universities, Employees, and Students,” which mentioned this scam. The PSA can be viewed at​.