Safe Computing

What is Phishing and what can be done about it?

Phishing is a technique used by malicious actors whereby they misrepresent themselves, usually though email or text, as being a reliable or trustworthy source in an attempt to gather sensitive information.  The initiator of a phishing attempt hopes to "lure" you into either providing sensitive information such as usernames, passwords, personal information, credit card data, or entice you to click on a link to malware.  This technique is frequently used as a prelude to ransomware attacks.

Frequently the malicious actor will attempt to impersonate:

  • Your organization's help desk personnel
  • Your bank or lending institution
  • Your merchant or social network service
  • Your supervisor

For executives and managers of service providing departments, malicious actors may attempt to impersonate an employee requesting service using their personal account.  High level managers can receive phishing emails on a daily basis.

How to Recognize Phishing, and what you can do to avoid it.

There are some telltale signs that the email you received is a phishing attempt.

  • Phishing attempts will ask for you to take action.  This action might be for you to click on a link, or possibly provide personal or financial information. Do not send information of this kind via email.  If you get a unexpected request that you think may be phishing, you can always verify with a phone call or through Microsoft Teams.  Don't reply to the email for verification.
  • Phishing attempts will usually come from non-campus email addresses. Unfortunately, campus accounts do get compromised, and malicious actors will use them to launch convincing phishing attacks.  However, in most cases the email will come from a non-campus email address. We frequently see phishing attempts from Gmail.  Always look closely at the email address of the sender and make sure it is from a campus address or another legitimate source.
  • Phishing attempts will usually place some sort of time pressure on you. You might want to double check that your boss really needs those gift cards before they get out of the meeting.

What is Spear Phishing?

Most phishing attempts are executed in bulk.  One malicious actor may attempt to phish hundreds of thousands of people at once.  Their payoff comes from executing a large number of attempts so that even if they are successful with a small percentage, they still have a good number of successes.  Some malicious actors focus on a smaller group of targeted attacks.

Targeted phishing attacks are called spear-phishing attacks.  With a spear-phishing attack, the malicious actor researches an organization and target their victims with tailored messaging. The attack can be as simple as directing the victim to a clone of the organization's website, or as sophisticated as taking advantage of vulnerabilities in technology or software used by the organization.

For more information see the "The Fly Phishing Hack that Cost Millions" YouTube video.

I think I am a victim of a phishing attack, what can I do?

Malicious actors using phishing may have different goals.  Recovery from a phishing attack will depend the goal of the malicious actor.  The two most common goal are identity theft and malware.

If the malicious actors goal was to entice you to click on a malware link:

  • If you think you have downloaded malware due to a phishing attempt, you should disconnect your computer from wi-fi or connected network.
  • Contact a computer repair professional.

If the malicious actors goal was identity theft and fraud: