By Emily Rushton, communications specialist for UIT Strategic Communication
“Immediately change your password,” said Kiston Finney, security specialist for the U’s Information Security Office, or ISO. “That’s the very first thing you should do.”
Next? “Call the Campus Help Desk,” she advised. They can be reached at 801-581-4000, option 1.
Social engineering – the attempt to psychologically manipulate a person’s behavior by getting the person to perform a certain action or divulge information – is happening more and more frequently, according to the Department of Homeland Security.
Phishing – the attempt to acquire confidential information, typically through email-based attacks – is the most common form of social engineering. It’s not to be confused with spam, a separate but equally nefarious type of unsolicited bulk email that can sometimes include malware, executable files or links to phishing websites.
The best-case scenario, of course, is to avoid being phished or spammed entirely.
“Phishers are often trying to get you to act on their behalf and transfer money, or trying to get various types of personal information from you,” said Colby Gray, IT manager for ISO. Phishers are usually after things like your social security number, bank account information or uNID and CIS password.
“No credible business or legitimate source would ask for this type of information over email,” he added.
Phishing attacks often try to induce panic or fear, encouraging the victim to make a hasty decision based on an emotional response – e.g., emails stating your raise is lower than promised, or that you’re in danger of failing a class.
“If you get an email that makes you afraid, that’s a good sign that it might not be a very credible email,” said Finney. “Emails coming from departments at the University of Utah should not make you scared or uncertain about your role at the U.”
Check for unusual language, grammatical errors and/or typos, which can be another indicator of a phishing email. It’s also good practice to hover over any suspicious links with your mouse pointer (without actually clicking the link). If it’s a phishing attempt, the URL often won’t match up with the company name or the overall subject matter of the email.
If you suspect you’ve received a phishing attempt (but haven’t clicked any bad links or divulged information), ISO recommends you forward the email as an attachment to firstname.lastname@example.org. Likewise, if you suspect you’ve received spam, forward the email as an attachment to email@example.com.
After verifying that the suspicious email is indeed a phishing attempt, ISO will remove the email from the UMail environment and block any URLs embedded within the email.
“We’ll also try to identify anyone who may have visited the malicious site before we were able to get it blocked, so we can inform them that they may have been phished and need to change their password,” said Gray.
Ultimately, the best thing you can do is use common sense and be wary of giving out information to less-than-credible sources.
“Trust your gut,” said Finney. “And if you think something went wrong, what can it hurt to change your password? That’s always my recommendation.”
- Many phishing attacks are seasonal or event driven. For example, an email that appears to come from the IRS during tax season attempts to lure you into a process that seems legitimate due to its timeliness.
- Be suspicious of any unsolicited contact (email or call) requesting personal information. It is important to note that sometimes scams happen over the phone.
- Some phishing attacks are random.
- Attackers target all businesses and organizations, not just the U.