University of Connecticut student distribution lists are not publicly accessible for phishing attacks, Chris Bernard, chief information security officer, said.
A phishing email is a type of scam that attempts to gain “something of value” from the user, Bernard said. This could be information, passwords or money.
For students of the UConn community, their emails are protected by the university, but they are still at risk.
“Email addresses are not considered directory information and are not publicly available except to other students, faculty and staff via phonebook.uconn.edu or email both of which require a university login,” Bernard said.
According to the UConn Information Technology Services website, UConn has enabled advanced threat protection on all university emails. ATP monitors malicious links and unsafe attachments.
However, phishing emails still get through to UConn students due to the sheer mass of phishing emails and its ever changing nature.
“The university maintains a variety of technological controls meant to help reduce the impact of phishing emails on the university community. On a daily basis, our automated systems block between 60 to 70% of incoming mail that is considered either a phishing email, malware or spam,” Bernard said. “That equates to over 500,000 messages daily that get automatically blocked, but due to the frequently changing nature of these messages, or their similarity to real messages, many messages still get through.”
Students are at risk for receiving phishing emails when they sign up for any free service, he said.
“One way those services pay for themselves is by selling data,” Bernard said. “Remember, if you aren’t paying for a product, you likely are the product.”
Another way UConn emails become at risk for phishing emails is from a company compromise, such as the 2018 Chegg.com breach, he said.
“You can check out where your uconn.edu or personal email address may have been involved in a compromise by going to haveibeenpwned.com and entering your email address,” Bernard said.
There are many factors to recognize a phishing email, Bernard said. One common trick is watching out for the phrase “immediate action required.”
For UConn students, scammers tend to create email addresses that are similar to common UConn emails, such as firstname.lastname@example.org, he said.
According to the UConn Information Technology Services website, the external message banner, which was added in Feb. 2020, will alert when the email is coming from outside of the university. In a yellow banner, it will say “message sent from a system outside of UConn.”
“[The external banner] should really make you question whether your favorite faculty member or researcher really needs you to go purchase iTunes cards because they are stuck in a meeting,” Bernard said.
The UConn ITS website also said that most phishing emails have bad spelling or grammar, mismatched email address information and/or a generic signature line.
Bernard said the best way to keep information safe is to be cognizant of the contents of the message before they click.
“If the email seems phishy, it most likely is,” he said.
He said popular phishing attacks aimed for UConn students either look like legitimate UConn websites or are offering jobs.
“If you receive a job solicitation without applying, or it [simply] seems to be too good to be true from a pay perspective, it probably is,” Bernard said.
He warned all members of the UConn community to keep an eye out for all of their social media messages for attempted phishing attacks.
“Always take a second to ask yourself if this message is legitimate,” Bernard said. “And, this doesn’t only apply to email. The same goes for SMS text messages and other messages you might receive via social media.”
Members of the UConn community can report any suspicious emails to email@example.com or contact the Technology Support Center.