What are the answers to frequently asked questions regarding the new email security features released in April 2024?

Overview

With the release of two new email security features in April 2024, Technology Solutions has received some questions from the UIC community. This article provides answers to some common questions/requests.

Table of Contents

FAQs

Why was the "External Sender" warning added?

Phishing attacks continue to evolve, and cybercriminals use increasingly sophisticated tactics to deceive individuals. By implementing this feature, we hope to inform our community to exercise caution and verify the legitimacy of external emails, reducing the risk of falling victim to scams, phishing attempts, and other malicious attacks.

Additionally, enabling the “External Sender” warning satisfies audit and cyber breach insurance findings, strengthening our cyber security posture. This also allows us to meet regulatory compliance needs for some of the research that UIC is involved with.

Why is the "External Sender" warning needed in addition to the Safe Links feature?

While the Safe Links feature (enabled several years ago) is a helpful protection when a link is clicked in a malicious email, it can't catch every malicious link and the behavior we encourage is to be cautious when clicking a link in any email, especially those from external (non-U of I) sources. Hardly a day goes by without our Cybersecurity team needing to work with at least one individual who has clicked a link or followed some instructions in a phishing email and has put their accounts and data at risk. The "External Sender" warning banner was implemented to be a just-in-time reminder to carefully evaluate emails from external sources.

Can I opt-out from the "External Sender" or "You don't often get email from..." warnings?

Due to the threat landscape for email, we are not able to support disabling these security enhancements on an individual basis. We also have a number of further improvements to email security that we are beginning to work on, which are focused on the prevention of malicious email reaching folks' inboxes to begin with. Look for more information on these efforts over the coming months.

Why are university-contracted vendor systems (e.g. Blackboard and Box) not exempt from the "External Sender" warnings?

While the university has contracted with numerous vendors, some of which generate emails to individuals in the UIC community, the university does not control these external vendor's systems and while all vendors go through a rigorous security review prior to contracting, no one is able to guarantee an external system will not be compromised/hacked. Where feasible, the university works with these external vendors as new systems are implemented to utilize our own email distribution systems so that these emails can be distributed using an @uic.edu domain. We will also be evaluating current vendors (e.g. Blackboard) to review the potential for reconfiguring their email sending.

I am a faculty member who interacts with new students every semester, will I have to see the "You don't often get email from..." message every time a student emails me?

This message only appears for email sent from outside the UIC Microsoft Exchange email system. The university is in the process of transitioning entirely to the Microsoft Exchange email service, and all new students as of Fall 2022 are placed on Exchange. This means that while you may see the notice for some students that joined UIC prior to Fall 2022, you will not see the notice from any new students sending from the UIC email address.

I have a different question: who can I reach out to?

Please visit it.uic.edu/ask-a-question to reach our team.