Researchers should expect temporary delays in WVU and WVU Research Corp.’s ability to submit proposals to the National Science Foundation, process NSF grants and other appropriations, and perform any NSF-related central office administrative functions.
Following a security incident involving a compromised WVU account, the University is working closely with NSF to address the agency’s concerns and to ensure system access is restored as soon as possible.
NSF has assured the University that faculty won’t be penalized for any delays; however, there is not an estimated time frame for when this will be resolved.
This delay should not discourage prospective principal investigators from submitting NSF proposals through WVU+kc. The Pre-Award staff will need to work with PIs to review the proposals using alternative measures so that when access is restored to the central office, proposals can be submitted without any further delay.
NSF reports it is seeing an uptick in bad actors stealing credentials and impersonating university employees. If a cybercriminal gains access to your WVU Login account, they can change your password, lock you out, add devices to your account, log into various systems and services, spam or phish others from your account, compromise data and cause other disruptions.
Cyber criminals often specifically target employees with access to sensitive data, the authority to transfer money, administrative access to mission-critical systems or the ability to perform central office administrative functions. These employees need to be especially vigilant in protecting their WVU accounts and University data.
Universities are attractive targets to cyber criminals who employ sophisticated scams that try to trick faculty, staff and students into giving up WVU Login credentials. Although WVU has many measures in place to Defend Your Data, faculty, staff and students share the responsibility to help keep University information secure. All employees should follow these tips from Information Technology Services:
Know the signs of phishing. Attackers often send emails that appear to be from campus leaders, supervisors or students asking you to click a link to open a document or join a meeting or group unexpectedly. Validate unusual and unexpected requests with a message or a phone call to the supposed sender using a number you already know or one you look up in the WVU Directory. If you accidentally click a link and provide your credentials, change your WVU Login password immediately.
Never approve a Duo push that you didn’t initiate. Attackers who get access to your username and password must still go through Duo two-factor authentication to access WVU systems. A push you didn’t initiate is an attacker trying to impersonate you. Sometimes attackers will send multiple Duo approvals at once, hoping you approve one just to stop the notifications. Do not approve these requests, and change your Login password immediately.
Never approve the addition of an unknown device to your Duo account. When you add a new device to your Duo account, you will receive a notification in the Duo app and an email from Duo asking you to confirm. If you receive a notification like this and did not add a new device, it’s an attacker trying to access your account. Select “No, this wasn’t me” for both the Duo app notification and email. If you accidentally approve a notification and add an unknown device to your Duo account, immediately remove the device, and then change your password immediately. Verify that only your devices are registered by clicking “Manage Account” at login.wvu.edu.
Follow the WVU incident reporting procedures. Report all suspected or known incidents to ITS immediately at infosec@mail.wvu.edu or by using the Incident Report form. If you suspect you were scammed, don’t do anything to the system or the device until you receive further instructions from Information Security.
Never use your WVU Login username and/or password on non-WVU sites.
Secure your WVU Login password and don’t share it with anyone.
Use a strong password or phrase. Twelve characters is the minimum. Use these tips to create strong passwords.
Never plug in an unknown device. External devices, like USBs, can be infected by viruses.
Report suspicious looking emails. Don’t reply or click any links. Use the Report Message button in Outlook email or forward it as an attachment to DefendYourData@mail.wvu.edu.