Featured Stories


MyHR access changes in response to new phishing trends


The following message was sent by Ohio University's Office of Information Technology to OHIO faculty and staff on July 7, 2016.

By now, most of you have received one or more “phishing” scam emails – emails that copy or mimic names or logos and ask you for sensitive information like user names, passwords, or other employee identification data. Increasingly, these scams are sophisticated, and some may look authentic. Responding to a phishing scam can allow hackers to access your personal data such as social security numbers and bank account information.
 
To help protect individuals who may inadvertently share their credentials in response to phishing scam emails and to minimize the impact of such lost individual credentials, the University has restricted off-campus access to W2s and direct deposit via MyHR until two-factor authentication becomes available later this year.
 
Employees who wish to download their W2s or change their direct deposit details must be physically present on one of the University's campuses or centers to do so. Remote access, including via VPN, has been disabled. Employees who are unable to come to a campus location can request an exemption (see below for details). Individuals will be able to access MyHR through their work-assigned devices and computers or personal devices and computers as long as they are connected to the University network.
 
These restrictions only apply to W2s and direct deposit. All other MyHR features like Absence Management and pay slips remain available from both on and off campus.
 
New trend in higher education: Phishing and identity theft
 
These new security measures are not motivated by any particular incident. They simply are the prudent course of action, given that individuals do occasionally give their passwords away in response to emails that ask them to log into a bogus website using their University credentials. As long as you have not logged into any unsolicited links (typically associated with an account deactivation or verification notice), you should have nothing to worry about. If you did click on such a link and enter your credentials, you should contact the OIT Service Desk and change your password as soon as possible.
 
Phishing scams designed to trick employees into giving away their login and password are nothing new; however, the stakes are much higher than they used to be. In the past, the most likely result of a phishing scam was a victim's email account being used to send spam. Now, attackers often download the victim's W2s and redirect his or her paycheck to an account owned by the attackers. Even if the direct deposit change fails, the information in a single W2 is enough to allow an attacker to steal the victim's identity, file false tax returns, open financial accounts in the victim's name and apply for credit cards and loans.
 
Reducing the risk long term: Two-factor authentication
 
The current restrictions are a temporary measure. The University's long term approach involves two-factor authentication.
 
Commonly used in banking, two-factor authentication makes it much harder for attackers to access an employee's account by adding a temporary passcode to the login process. Two-factor typically works like this:  

1. The employee enters his or her OHIO ID and password in the login screen.

2. Once the employee enters the code, the login process is complete.

3. The system sends a single-use confirmation code to the employee. Typical ways to receive this code include text message, automated voice call, smart phone app, email to a separate account, or in special cases a pre-generated code when other methods are not available.

With two-factor enabled, a stolen password is useless unless the attacker also has access to the victim's phone. Two-factor authentication will be available on MyHR within the next six months.
 
Requesting an exemption from the off-campus W2 and direct deposit change block
 
In the meantime, if you need to access your W2s or direct deposit details and are physically unable to come to a University location, you can request a security exemption by contacting the OIT Service Desk. The Service Desk will verify your identity using the same criteria as if you were requesting a password reset. Once your identity has been verified, your account will be exempt from off-campus W2 and direct deposit restrictions.
 
If you choose to exercise this option, be extra vigilant with your credentials. Should you fall victim to a phishing scam, your sensitive data will be at greater risk with the remote restrictions disabled.
 
How to avoid being scammed
 
OIT will never ask you to log into a link over email. If you receive such a message, look up the sender's office phone number independently and call them to verify the request BEFORE you click.
 
For assistance with password changes, contact the OIT Service Desk at 740-593-1222. To report a suspicious email message, forward that message as an attachment to security@ohio.edu.