The University of Arizona
Home

Phishing

How to Protect Yourself

The "Dos, Don'ts, and Nevers" of Phishing

What to do if you're compromised

Resources

 

"Phishing" is where fraudsters send spam or pop-up messages that appear to come from a legitimate website such as a bank, credit card company, ISP, etc. to lure unsuspecting recipients into giving their personal, financial or credential-related information. The scammers can then use that information to commit identity theft, gain access to password-protected sites using your account, and even hack your computer.  

Phishers are churning out much more convincing and effective emails. Not only are the most persuasive specimens well-written, they are also often personalized, addressing the recipient by name. In addition, they replicate the look and feel of authentic emails from legitimate businesses down to the fonts, footers, logos and copyright statements those companies use in electronic correspondence with their customers.

As phishing schemes become more sophisticated, with phishers being able to convince up to 5% of recipients to respond, it becomes increasingly important to be vigilant in identifying and protecting yourself from these scams. 

Download our Phishing Pamphlet for great information on how to identify and protect yourself from phishing attacks

How to Protect Yourself

  1. Never respond to emails that request personal financial information.
    1. Even if you think the email may be legitimate, don't respond - contact the company by phone or by visiting their website.
  2. Only visit banks' websites by typing the URL into the address bar.
    1. If you suspect an email from your bank or online company is false, do not follow any links embedded within it.
  3. Be cautious about opening attachments and downloading files from emails, no matter who they are from.
  4. Keep a regular check on your accounts.
    1. Regularly log into your online accounts, and check your statements. If you see any suspicious transactions report them to your bank or credit card provider.
  5. Check the website you are visiting is secure.
    1. Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual http://
    2. Look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.
    3. Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
  6.  Be cautious with passwords and personal data.
    1. Never let anyone know your PINS or passwords, do not write them down, and do not use the same password for all your online accounts.
    2. Avoid opening or replying to spam emails as this will give the sender confirmation they have reached a live address.
  7. Keep your computer secure.
    1. Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Installing anti-virus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you. Also make sure you keep up to date and download the latest security patches for your browser.
  8. Always report suspicious activity.
    1. If you receive an email you suspect isn't genuine, forward it to the spoofed organization (many companies have a dedicated email address for reporting such abuse). 

The "Dos, Don'ts and Nevers" of Phishing 

  • DO Delete suspicious messages immediately.
  • DON'T click on any links in the message. Instead, DO copy and paste the URL into a new browser window.
  • NEVER respond to an unsolicited email, or supply personal information as requested by an email, even if the message looks real.
  • NEVER supply your passwords or other sensitive information via an email message. No legitimate organization will request your password or other types of sensitive information via an email message

The UA will NEVER ask you to reveal personal information, and users are encouraged to NEVER trust a link in an email. The U of A will notify you via email for UAccess communications or when it is time to change your NetID password, as well as other official university notifications, but will not ask you for any information. These official UA emails will provide the appropriate link to the website, with instruction to copy and paste the URL into your browser.

For more information and detailed examples, see our resources below.

What to do if you're compromised

If you believe you might have inadvertently revealed sensitive university information such as your NetID password, you should change your password immediately. If you have additionally questions, comments or concerns contact the University Information Security Office at CIO-ISO@email.arizona.edu or 621-UISO (8476).

If you provided personal financial accounts information that could be used for identity theft or fraud in response to a fraudulent e-mail claiming to be sent by outside agencies (PayPal, Wells Fargo or Arizona State Credit Union, for example), you should immediately contact the company being spoofed.

Resources

 Back to Top