Phishing is the attempt to obtain sensitive information such as usernames, passwords, social security numbers, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. These attacks are often initiated by organized cyber-crime groups, and their frequency has been increasing. The attempts have become more sophisticated, and they are capable of achieving high levels of apparent credibility by leveraging public information, such as easily determined email addresses. Targeted attacks, also referred to as spear phishing, use elements that typically signal authenticity – a familiar sender or copied website content – and can be more difficult for a recipient to quickly identify as spam mail. An example of spear phishing is the recent message that superficially appeared to come directly from President Herbst.
The University’s spam mail filters remove many of these messages before they enter inboxes, and any that pass are addressed with internal IT security processes as soon as they are identified. This reduces, but does not eliminate, the threat to our community. Phishing scams will continue, and in response, ITS will continue to develop more sophisticated resources and to explore technologies that will provide better protection. The community also has a role to play. Phishing attacks can, in general, only succeed through the cooperation of the target. Opening attachments and clicking on embedded links are overt actions that need to be performed with real caution. Hovering over a link or an attachment usually produces additional information about what it is. A document that looks like it has a name “something.pdf” might actually be a file “something.exe.” The former is something you view while the latter is a software program that you execute and is extremely dangerous. Running sketchy programs is a one way ticket to computer infection and data loss. Embedded links have two parts. The part that is displayed and what it actually points to. The first part is nothing more than a label and while easily read, does not actually mean anything. The second part is what it really is and in a phishing email, this will refer to something unexpected and often dangerous. As a general rule, you should not open an attachment or follow a link if it comes in an email that you do not expect. Even if you expect an email, an attachment should never be opened without verifying the kind of file it is, and no link should ever be followed without first verifying what it references. Under no circumstances should you ever provide personal or sensitive information of any kind through an interaction that you did not explicitly initiate yourself.
Your advocacy is vital to increasing awareness on how these attacks happen and how each of us can better avoid being misled. If you have questions about the validity of a message, ask the ITS Technology Support Center (firstname.lastname@example.org) to review it. Any message suspected to be a phishing attempt can also be forwarded to email@example.com.
1. Ramzan, Zulfikar (2010). “Phishing attacks and countermeasures”. In Stamp, Mark & Stavroulakis, Peter. Handbook of Information and Communication Security. Springer. ISBN 9783642041174. 2. Van der Merwe, A J, Loock, M, Dabrowski, M. (2005), Characteristics and Responsibilities involved in a Phishing Attack, Winter International Symposium on Information and Communication Technologies, Cape Town, January 2005.