Anyone with an email address is vulnerable to phishing scams, but when armed with knowledge of how to identify and report attacks, they become significantly less of a risk.
A “phishing” attack is a scam usually executed via email, in which an attacker poses as a trusted sender and lures victims into dispensing personal information, according to Phishing.org. The name “phishing” comes from the strategy of baiting victims with urgency or reward.
“Phishing is a form of social engineering. The goal is to get you to do something without really thinking through the implications,” Chris Bernard, University of Connecticut Chief Information Security Officer, said. “Typically, phishing is seeking your personal credentials, banking account information or an attempt to get you to install malware on your computer.”
Recently, tactics have changed to evade detection by seeking the purchase of gift cards or offering job opportunities, Bernard said.
At UConn, these attacks can be seen in the form of an email from a @uconn.edu email address, Bernard said. Sometimes, scams will advertise employment or tutoring opportunities, and they will typically include some link or email address to click on or send information to.
“We typically see a surge in phishing at the beginning of each fall semester,” the UConn ITS website reads. “The trend has continued this year with a substantive increase in emails being launched from compromised university accounts or masquerading as institutional messaging.”
Bernard said there are a variety of ways to identify phishing emails, including looking at the senders’ email address.
“Does it make sense?” Bernard said. “Is your friend or boss who normally emails you from an @uconn.edu address now sending email from a Gmail account? Does something about the email look ‘off’?”
Additionally, hovering over a link with a cursor can show what kind of file it is. If it’s an .exe file, it is a potentially harmful software program that will download onto the device if clicked.
Hovering over a link can also reveal information. If the web address it directs to does not match the link’s description in the email, it could be dangerous, according to the UConn IT Security website.
If unsure about the safety of a link that seems legitimate, Googling the associated company or email address is generally an effective way to check. Often, there will be reports online of similar scams.
Other telltale signs of phishing include poor spelling or grammar, being requested to email a non-UConn email address, a generic signature line listing a position instead of a full name and a lack of contact information after the signature line, according to UConn IT Security.
As stated on the UConn ITS website, signs of a phishing email include urgent requests, such as a threat to close an account or a job posting that needs to be replied to immediately. The point is to induce panic in the receiver so they don’t stop to consider the email’s legitimacy.
If any user of a UConn email address receives a suspicious, or “phishy,” email, they should forward it to firstname.lastname@example.org and delete it, Bernard said. When in doubt, one can also email email@example.com. Educational resources are also available at security.uconn.edu.
Phishing is a constant threat, as ITS’ automated systems block thousands of messages daily, Bernard said.
“Even with our automated systems, sometimes messages get through,” Bernard said. “It is a constant challenge, as the individuals doing the phishing are constantly changing their tactics to evade detection.”
Keely Greiner is a campus correspondent for The Daily Campus. She can be reached via email at firstname.lastname@example.org