Password Resets are Targets for Fraudsters
Resetting someone’s password to a network or an application is a high-risk responsibility, not simply a routine administrative task.
If you are tasked with resetting a password, current security standards require you to verify the identity of the requester.
ACTION STEPS:
- Ensure that your helpdesks and security access staff (Department Security Officers) are not resetting passwords solely relying on electronic requests through tickets, emails or calls. Your department must put controls in place to verify the identity of the person needing the password reset.The best way to confirm identity and provide a reset password is through Teams or Zoom where you can ensure you are dealing with the correct employee and see their employee ID if needed.
- Taking these extra steps to verify can help prevent unauthorized access to your department’s data and finances.
See our CTR Cyber page for more cybersecurity internal controls and our Cybersecurity Tips at Work page with tips specifically for you and your family. Contact [email protected] with any incidents or suspected incidents of fraud or cyber threats or if you need support from our Statewide Risk Management Team.