This post originally appeared here.
As part of increased and ongoing efforts to combat phishing at the University of Utah and University of Utah Health, the U’s Information Security Office (ISO) recently launched the Phish Tank, an awareness and educational website with information on phishing tactics and known schemes.
Other efforts from the past year include the ongoing implementation of two-factor authentication for student, alumni and affiliate uNID accounts, and a partnership with KnowBe4 on phishing and cybersecurity awareness efforts. On Aug. 8, 2022, the ISO will launch the Phish Alert Button, which will enable users to more easily report suspicious emails.
The Phish Tank features a list of key phishing indicators, examples of common phishing schemes, and other resources to help users identify scams, including videos, tips and quizzes.
Trevor Long, associate director for the ISO’s Governance, Risk, & Compliance team, said the goal of the Phish Tank is to raise awareness around phishing tactics to help decrease the number of people falling for the scams and potentially giving away confidential information.
“Phishing is not going away anytime soon. It’s getting worse. For example, attackers are now trying to figure out how to get around two-factor authentication,” he said. “Users must be vigilant.”
To aid users, the Phish Tank will soon include a list of recent phishing messages sent to university email accounts.
“It’s a great resource. People can see what’s going on right now—what criminals are after—so they can be on guard,” Long said.
Jesse Adams is the manager for the ISO’s Security Operations Center (SOC), which handles phishing reports and incidents. He said user behavior and human error are the biggest challenges around phishing, referencing a Deloitte report that indicates that “91% of all attacks begin with a phishing email to an unsuspecting victim.”
“When users fall for phishing, give up their credentials, and don’t report it to us, an attacker can gain a foothold in the U’s network and leverage it in all sorts of ways” that put the university and users at risk, he said.
Adams hopes the website—inspired by the University of Michigan’s Phish Tank—will help users better identify and guard against phishing emails. Users, he added, should always report suspicious emails.
“The SOC reviews every phishing message that people send us. Users can expect a timely response on whether the email is legitimate and instructions on how to proceed if it’s malicious,” he said.
Report a suspicious email
If you receive a phishing attempt through a university email account, report it using the Phish Alert Button or by forwarding it as an attachment to email@example.com. For more information on how to report phishing, please visit this IT Knowledge Base article.
If you’re not sure whether an email is a phishing attempt, report it anyway. The SOC will analyze the email, notify you whether it is malicious, and act as needed to protect users and the university.