Compromised email account instructions

Instructions for UNL faculty and staff: How to fix user account compromise from phishing

12/22/14


In the last few weeks, UNL faculty and staff have fell victim to a clever phishing email (Read more in UNL Today). One symptom of a phished account is the faculty or staff email account does not receive email. The following are steps for users to change their password, review their email settings, and report the issue to ITS for further follow-up.
More about Phishing

For additional assistance, contact the Computer Help Center

Almost everyone who had their email account phished clicked on the link in the email below

001

1) To clear the account from being compromised any further, reset the account password at https://id.unl.edu
a. On the login screen, enter your User ID and Password and click LOG IN.
002

b. Now click on the icon to CHANGE YOUR PASSWORD.
003

c. Enter a new password on the Password and Confirm Password lines. Choose a password you have never used before. Note the rules of password length and the characters to be used.

004

i. Consider using a pass-phrase instead of a password. A pass phrase is a password made up from a phrase or quote. Numbers and symbols replace some of the letters. For example, the phrase "I enjoy winter break!" might be the password:
I3nj0yWint3rBr3ak!
This password cannot be found in a dictionary, and meets the complexity rules for a new password. READ MORE ABOUT STRONG PASSWORDS 

d. Click SAVE and if your new password matches in both fields, you will see the following screen. Click OK. You should also receive an email that your password has changed.
005

e. Click on LOGOUT and close the browser window for id.unl.edu.

006

2) In mysupport – open a new issue with the Compromised email account template.

3) Ask the user how long they have not been receiving email. (put this date in the “How long between phishing and password reset field” i.e., since 12/18/14)

4) Go to the email web client (https://mymail.unl.edu) and login with your User ID and your new password. Once logged in, click on the GEAR icon.
007
5) Then click on OPTIONS
008
6) The options for the webmail account will now be displayed on the left. Click on Forwarding – about midway down the list. Any forwarding rules will be displayed.
009
7) The rule will be a forward to a non UNL email address – something like idmaafh@gmail.com. Note the email address that was in the rule in the field “forward my email to:”. Click on the box next to the STOP FORWARDING to disable the rule.
010
8) Then click on the back arrow on the upper left of the webmail screen to go back to email.
011

9) Send an email to mysupport@unl.edu, in the subject line enter PHISHED EMAIL ACCOUNT; in the body of the message – include the steps you did and note the following information:

a. The day you noticed you were no longer email.
b. The email address that the email was being forwarded to (from step 7).

10) The UNL Information Security team will be in contact on the next UNL business day.