The most common technique that hackers and identity thieves use to compromise accounts and install malware is phishing. Why is this? Quite simply, it is effective.
Phishing is an email fraud method used by hackers and thieves. The email usually appears to come from a legitimate sender in order to lure unsuspecting recipients into giving their personal, financial, or other sensitive information. The scammers use that information to commit identity theft, gain access to your accounts, and hack your computer.
Phishers are becoming much more sophistocated and convincing, making it even more important for users to become savvier & not get hooked.
Spear Phishing: UA faculty, staff, and students receive multiple spear phishing attempts each week. Spear phishing targets a particular group (e.g., members of the UA community) in order to trick recipients into providing information or clicking on attachments or links in the email in order to gain access to a system or data. Examples of several types of spear phishing attempts that the UA sees on a very regular basis can be found here.
As phishing schemes become more sophisticated, with phishers being able to convince up to 5% of recipients to respond, it becomes increasingly important to be vigilant in identifying and protecting yourself from these scams.
Phishing = Social Engineering
- Typically uses urgent or exciting language to get you to act quickly without thinking
- Asks for passwords, bank account information, usernames, credit card numbers, social security numbers, etc.
- Displays fake URLs that actually direct you to dangerous sites
- Contains attachments that you are directed to open for an urgent reason, or because you will gain something important from doing so.
Don't Trust — Verify
- Never respond to any suspicious email by clicking on links or filling out forms with personal or financial information.
- Don't believe everything you read. If you are unsure as to whether a website is legitimate, confirm it by contacting the company or organization.
- Double check the URLs of websites you visit. Rather than using contact information provided in any email, take a moment and look it up on the company's website.
- Be patient. Too many users end up the victims of Internet crime because they do not stop to think, but instead act on impulse clicking on a "sexy" link or an interesting looking attachment without thinking of the possible consequences.
- Never provide personal information or information about your company/organization via email, text, or over the phone.
- Don't open unexpected attachments. Contact the email source to verify the contents. Again, use a trusted source to find contact information for the recipient.
If You Are Compromised
If you believe you might have inadvertently revealed sensitive university information such as your NetID password, you should change your password immediately. If you have additionally questions, comments or concerns contact UA Information Security at firstname.lastname@example.org or 621-UISO (8476).
If you provided personal information that could be used for identity theft or fraud in response to a fraudulent email, you should immediately contact the company being spoofed.
- All About Phishing: Don't Bite (awareness brochure)
- UA Phishing Alerts
- UA Phishing Alert RSS Feed (go here to subscribe)
- Forwarding Phishing Email as an Attachment Guide
- Full Email Headers Guide
- Phishing Quizzes
- US-Cert Avoiding Social Engineering & Phishing Attacks
- Phishing Quick Facts
- Sophos: Simple Steps to Avoid Being Phished
- TechRepublic: 10 Tips for Spotting a Phishing Email
- Anatomy of an i-Tunes Phish