Phishing: Staying off the Hook

Phishing is the #1 most common form of social engineering—a fancy term for when a hacker makes up a really convincing story to trick you into doing something for them or granting them access to private information. In fact, over 3.1 billion spoofed emails are sent every day. Phishing is commonly enacted via email, but you can also be phished by text or phone call (smishing and vishing, respectively).

Whether you realized it in the moment or not, you’ve definitely encountered phishy emails before. These emails often try to bait you into clicking a link or opening an attachment that infects your device with malware. Sometimes phishers are incredibly forward and just straight-up ask you for your credentials or personal information (the audacity!). We’ll take a look at other types of phishing shortly. For now, let’s focus on email scams—after all, email is the most common way that cyber criminals enact phishing attacks.

EXAMPLE: A “vendor” emails you an invoice for a purchase, but hold on...something smells phishy. The email address isn’t really your vendor’s - it just looks very similar (amy@companyname vs amyb@c0mpanyname). In fact, it’s so similar that you didn’t realize it was a spoofed email address until, upon downloading the attached PDF, you’ve accidentally installed malware on your device—or until the real vendor emails you their invoice and you realize you paid a phisher!

 

How Can You Stay Vigilant?

Cybercriminals are crafty with a lot of practice playing dirty. But you hold the power to protect yourself and the University. There are a few things you can do to avoid phishing scams:

●Trust, but verify. Before responding to an email asking you to download something or share information, double check the sender’s identity. If your “boss” emails you asking you to transfer money, call them and confirm. Just be sure to use a number you already have saved, not one included in the possibly-phishy email.

●Be wary of links and attachments. While not all hyperlinks or attachments are malicious, this is the most popular way phishers get you. Before clicking a link, hover over it and make sure that the destination URL seems legitimate; if the link has been shortened (such as bit.ly or goo.gle links), proceed with caution, as you have no way of knowing where it’s going to take you. Similarly, never download an attachment from a source you don’t know. If you are opening an attachment, hover over the file and see what the extension is. If it’s an .exe extension or an extension type that you don’t recognize such as .Ink, etc.—don’t open it! If your email provider allows, scan any attachments for viruses. Finally, if you’ve downloaded any kind of Microsoft Office file and the program is asking if you would like to “enable macros” or “enable content”—don’t! Enabling macros can cause your computer to become compromised.

●If an email is suspicious, report it! Whether your organization provides a “report phish” button in their email client or you need to contact them directly, alert the IT or Security team by following your organization’s policies and procedures for reporting. It’s best not to forward a phishy email to IT (or anyone else) because it could put them at risk. The last thing you want is an unsuspecting coworker opening the very link or attachment you’re suspicious of. Instead, call or message them to explain what’s happening and give them a heads up. It may also be a good idea to attach a screenshot of the email you’re reporting,

 

Bonus Tip! When working remotely, stay off of public Wi-Fi

Be wary of public networks without password protection. Unfortunately, it’s super easy for a savvy hacker to “spoof” Wi-Fi network names. That open network may say “Starbucks,” but is it really? A hacker can name a Wi-Fi network anything they want!

If you do connect to public networks, make a point not to login to any work accounts. If you’re logging into work accounts on a hacker’s lookalike network, you could be granting them access to your every move.

Even on a legitimate network, a cybercriminal can use a public Wi-Fi connection against you.  Be wary of notifications for seemingly familiar software updates (like Spotify or your antivirus) that appear while you’re connected to a public network . These could be fake messages injected by a hacker to get you to download malware.

How can you avoid these Wi-Fi cyber attacks? Always use your own personal hotspot or use a VPN when you can’t use a trusted  Wi-Fi source.

 

Knowledge is Power!

By learning more about phishing attacks, you’re equipping yourself with the knowledge you need to spot the bad guys. Even something that seems small—like reporting a phishing email to IT—can go a long way towards keeping your company safe. Knowing what to look out for is a major WIN worth celebrating, so go get that second cup of coffee. You deserve it.