As University of Utah students, there are many ways to be vigilant against outsiders who try to steal sensitive information in an online scam called phishing.
Phishing, as defined by the Federal Trade Commission, is “a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information. Then a scammer uses the information to open new accounts, or invade the consumer’s existing accounts.”
Trevor Long, director for governance, risk and compliance in the Information Security Office at the U, said that on top of the email scam, which is most common, there is also “smishing” (SMS and text message attacks), as well as “vishing” (voice and phone attacks).
Chris Dansie, academic director of cybersecurity management for the David Eccles School of Business, said the U may be targeted because attackers want to gain access to the university system.
Dansie added this scam happens more often than most people realize.
He said at the U, there are considerable efforts to stop those emails from reaching inboxes in the first place, but there are some that slip through.
To help combat this issue, the university has been sending out simulated phishing tests to students, staff and faculty to bring awareness to the issue and help people identify what a phishing message can look like.
Long said if someone fails the test, they are given feedback about what they missed and how to do better in the future.
“Users that are deceived by U phish simulation exercises receive immediate feedback explaining the tell-tale signs in the simulated phish,” he said. “They are also enrolled in a brief online training that provides additional information on spotting and reporting phishes.”
According to the press release about these initiatives, “IT security breaches can also harm the U’s finances and reputation, and the privacy of U students, patients, faculty, and staff.”
A sneaky way the hackers try to gain access to operating systems can be through a corrupted file attachment, Dansie said.
“When you double click it, it’ll infect your computer; it could apply ransomware to it or it could just infect it so the attacker can log on remotely and you don’t even know it,” he said.
Both Dansie and Long stressed the importance of being diligent and reporting any emails that seem suspicious. The sooner a student, faculty or staff member reports a potential phish, UIT can review the email and even take the same email out of other’s inboxes.
You can report an email by using the Phish Alert Button in UMail or by forwarding the message as an attachment to [email protected].
In addition to these simulated tests, the University also has a resource called the Phish Tank, which has more information on common phishing tactics and red flags to look out for.
According to the Phish Tank, a few things to look for when determining if an email is a scam are if:
- The email comes in outside of normal working hours or late at night
- The email is sent to a group of people you don’t know
- The message has a tone of urgency and asks to verify an account
- There are general misspellings in the text and in hyperlinks
- The sender is someone you don’t know or is outside of your organization
Long’s advice to students who deal with this issue at the U is to know that everyone gets these types of messages and to be vigilant.
“The key is to not respond to the bait, which is often designed to trigger a strong emotion-based response,” he said. “Report suspected phish that you receive in UMail to the U’s Information Security Office to protect yourself and others. Never assume that a phish you receive only affects you. By reporting phishing, you just might save the U from a cyber-security incident.”
He added that students shouldn’t second-guess themselves when it comes to phishing.
“If you have even the smallest inkling that an email you get in your UMail account is a phish, report it,” he said.
Dansie finished by saying that technology is not always failproof, and there will be some phishing emails that get through the U’s filters. That is when “we rely on the humans to be able to detect phishing emails, delete them — or even better — record them, to take them out of your inbox.”