481
Phishing and You
Phishing is a widespread and dangerous cyberattack that targets both individuals and organizations. It involves sending fraudulent emails designed to trick recipients into revealing sensitive information, such as passwords, credit card numbers, or personal details. Despite increasing awareness, phishing remains highly effective due to constantly evolving methods and tactics. If you would like to know how to report a phishing email, please click here.
How Phishing Works
Phishing emails often appear to come from legitimate sources, such as banks, retailers, or social media platforms. These emails typically create a sense of urgency, prompting the recipient to act quickly by clicking a link, downloading an attachment, or providing personal information. Once a user interacts with the malicious content, they may inadvertently install malware on their device or be redirected to a fake website where their information can be stolen.
The Dangers of Phishing
1. Financial Loss: Phishing can lead to unauthorized access to bank accounts, fraudulent purchases, or even identity theft. Criminals can use stolen information to drain accounts, make illegal transactions, or commit other types of financial fraud.
2. Identity Theft: Personal information obtained through phishing can be used to create false identities, open new accounts in your name, or impersonate you for malicious purposes.
3. Malware Infection: Phishing emails often contain harmful attachments or links that install malware on your device. This malware can steal information, monitor your activity, or even lock you out of your system through ransomware.
4. Data Breaches: For businesses, phishing attacks can result in data breaches that expose confidential customer information, intellectual property, or company secrets. This can lead to reputational damage and legal consequences.
Common Types of Phishing Emails
1. Spoofed Emails from Trusted Sources: These emails impersonate well-known companies or institutions, like your bank or an online retailer, and ask you to click a link to "verify your account" or "resolve an issue." The links often lead to fake websites designed to steal your login credentials or financial information.
2. Urgent Security Alerts: These phishing emails warn of "suspicious activity" on your account and demand immediate action to avoid being locked out. The fear of losing access can lead victims to unwittingly hand over their sensitive information.
3. Fake Invoice or Payment Requests: Cybercriminals send fake invoices or payment requests, often pretending to be from a supplier, business associate, or a service you use. The goal is to trick you into paying a fraudulent invoice or downloading malware.
4. Prize or Lottery Scams: These emails claim you’ve won a prize or lottery and ask for personal details or a "processing fee" to claim your winnings. They are designed to steal your money and sensitive information.
5. Work-from-home scams: Many phishing attacks target job seekers with fake offers for remote jobs. They might ask for personal details or upfront payments for training, which are then used for identity theft or other crimes.
Real UT Example
Commonly in an enterprise setting such as our campus, an attack will take the form of staff impersonation. In the real example provided above, note that this email appears to be from former university president, Richard Williams. This is a real phishing attempt to our staff on campus, and it displays many of the common behaviors phishing emails possess.
- First, reading through the email we can see that there is no particular topic stated. Everything in this email is left intentionally vague. Of course, the adversary does not know the business we conduct internally, so they attempt to make the email sound as important as possible without saying anything explicitly.
- Second, the email address is not in our email format. All faculty, staff, and students will have an email address along the lines of [email protected] OR [email protected]. We have a handy notification display above the email if the email is from outside of Utah Tech. As it says, verify the sender before opening links or attachments. However, this prompt will not always show. Do not rely on it to be 100% consistent. Always ensure the sender before you exchange any sensitive information, click on links, or scan QR codes.
- Third, the email is trying to spin together a narrative of urgency. People often act irrationally under stress, and may not think too much about what they're doing. Urgent messages will very rarely ever be sent over email.
- Fourth, the email is requesting irregular information. We already have plenty of known ways to contact each other on campus, so asking for personal information out of the blue should be considered suspicious behavior.
- Finally, this email is unprofessional in its English. As humans, we make mistakes in typing and grammar, so this isn't always a clear indication, but with the previous points, this helps add up that this email is illegitimate.
In Summary
1. **Be Skeptical of Unsolicited Emails**: Always verify the sender’s identity. If an email seems suspicious or requests sensitive information, contact the sender directly through a trusted method.
2. **Avoid Clicking on Links or Attachments**: Never click on links or download attachments from unknown sources. Hover over links to check the actual URL before clicking.
3. **Look for Red Flags**: Watch out for signs of phishing, such as spelling errors, generic greetings (e.g., "Dear Customer"), or unfamiliar email addresses.
Resources
For more information about phishing attacks and how they look, here are some websites you can visit to help educate yourself and your peers.
