Don’t Get Hooked by Phishing

Students receive many daily emails from the U and it’s often hard to remember what information they’ve given out to whom — some students may give out personal information to scammers without even realizing it.

This phenomenon is known as phishing. The U’s Information Security website defines phishing as “an email scam designed to mimic an email from a legitimate organization in order to fraudulently collect personal information for the purpose of identity and/or information theft.”

Daniel Bowden, the U’s Chief Information Security Office, said students and faculty need to be careful when giving out their information due to the prevalence of these phishing scams.

Phishing emails and phone calls often pretend to be the victim’s place of employment or school. This is a global phenomenon not unique to the U. Bowden said everyone at the U is potentially a target.

“As large as the U is, events like these happen on a daily basis,” Bowden said.

Phishing emails typically include emotional messages to compel people to click on an embedded link. The link requires victims to either enter personal information or download malware that will gather information.

Bowden said the original phishing emails began over a decade ago and were easy to detect, but recent attacks are complex and have improved in mimicking official sources.

“The attackers will keep designing new ways to get you to click on the link,” Bowden said.

Because of this increased complexity and the size of the U, the university relies on education and awareness to help potential victims detect phishing emails. As a part of National Cyber Security Month, the U released a video detailing how to identify and respond to phishing emails and phone calls. This information can be found on the University Information Technology website at http://it.utah.edu.

Megan Hulse, a freshman in English, said she hasn’t personally been a target of these scams, but they have affected her job calling alumni at the U’s call center.

“I’ve had people who answer and say, ‘I cannot confirm that you’re from the U, so I’m not going to talk to you,’ ” Hulse said.

The results of a successful phishing attempt can result in anything from student information being stolen to university employees losing a paycheck.

“We’re in the process of adding additional security measures for personal aspects of CIS,” Bowden said. Bowden said these updates won’t take effect for three to six months and they won’t protect students from phishing attacks entirely — they will just make CIS more secure.

Brian Buehler, a junior in parks, recreation & tourism, said he was aware of the scams but didn’t know they were a problem at the U. Buehler said he thinks he could be a target for these scams.

“I give information away willingly, so that’s kind of a problem,” Buehler said. “I’m going to have to pay more attention to that.”

Bowden said a good way to avoid phishing emails is to not give personal information out before verifying the sender of an email. A way to do this is to hover over the embedded link in the email to make sure the URL matches with the company name or subject matter of the email.

Bowden also suggests using different passwords for information, especially to separate between work and personal information.

“I know people do it [use the same passwords] because it makes remembering passwords and usernames easier, but it also makes it easier for phishing,” Bowden said.

If students find themselves the victims of a phishing attack, Bowden said they should contact the security help desk. The U will also regularly run safety checks to help protect students.

[email protected]

@Ehmannky