OIT Quarterly Security Update: April 2026 Edition

Securing the Herd: SMU Quarterly Security Update

Hello Mustangs,

Before we break for summer, we want to highlight a few important reminders to help you stay secure wherever the season takes you.

In this issue, we take a closer look at ClickFix attacks — a tactic that disguises malware as something familiar, like a CAPTCHA or system prompt, and relies on users to unknowingly run malicious code. We’ve seen an increase in this activity, making awareness especially important.

We’re also addressing the continued rise in online job scams as students pursue internships and summer work. These scams often move quickly and feel legitimate — which is exactly the point.

You’ll also find guidance on OpenClaw and why tools with system-level access are not approved for use with university data, along with information about an upcoming MFA enhancement that adds additional protection when sign-in activity appears unusual.

Whether you’re traveling, working, researching, or taking a well-earned break, a few thoughtful pauses can prevent significant risk.

Thank you for continuing to protect your work and our community.

Staying secure, one Mustang at a time.

Corrina Taylor
Chief Information Security Officer (CISO)

[story image]
That CAPTCHA Isn’t Real: Understanding ClickFix Attacks

ClickFix is a social engineering tactic that misleads users into executing malware through fake verification prompts, including CAPTCHAs. This method targets Windows, macOS, and Linux systems via compromised websites and emails. Victims unknowingly download information-stealing malware, risking personal data and network security. Users should avoid pasting commands from webpages and report suspicious activity.
Now Hiring… or Now Scamming? What to Know About Online Job Scams

As summer approaches, more students begin searching for internships, part-time work, or their first full-time role. At the same time, job scams continue to rise—and not just slightly.
[story image]
[story image]
OpenClaw: Security Risks and Institutional Position

OpenClaw, the agentic “personal AI assistant” that uses autonomous AI agents, is not approved for use on university-owned or managed devices at this time due to security concerns.
Upcoming MFA Feature Further Protects Your SMU Account

Microsoft Authenticator may occasionally ask you to confirm your sign‑in with multi‑factor authentication (MFA) if something about a login looks unusual.
[story image]

Office of Information Technology

Copyright © 2026 Office of Information Technology, SMU
smu.edu/infosec  | 214.768.7321abuse@smu.edu 

 Instagram    LinkedIn    YouTube