Earlier this month, Feb. 6, the University’s Information Security Officer, Ian Barwise sent out an email to the student population detailing the dangers of “phishing.”
Phishing is a type of a cyber-crime, that involves the victim being sent a seemingly innocuous but fraudulent email from someone they think they know (bank, co-worker) and is lured into providing sensitive information such as personal login information.
“There’s so many different things that attackers can do through phishing emails,” Barwise said. “They can have you click on a link and take you to a site that looks like your bank and then you start inputting your banking login credentials. Then, 15 minutes later, your bank accounts are wiped out.”
After two months on the job, Barwise said the amount of phishing emails was immediately evident to him and something needed to be done.
“I actually started working here in December 2018, and I noticed almost immediately that there was a pretty high volume of phishing emails going around,” Barwise said. “That led me to start an awareness campaign for cyber security to try to increase security awareness so that everybody’s on the lookout.”
There are many different types of phishing: there’s “vishing” where the hacker attempts to scam you through voice-mail, “spear-phishing” which is a more targeted form of phishing – often targeting employees at a larger financial entity, or even “whaling” where the hacker specifically targets a person in power like a university president or business executive – which can lead to a business-wide email compromise.
“Anything that’s digital, that’s connected to the internet somehow, is at risk of some kind of cyber crime or exploit,” Barwise said.
As with any fraudulent exploit there are telltale signs that the victim can use to protect themselves and phishing is no exception.
Typically phishing emails are sent with a tone of urgency. The recipient is told to quickly “update their personal information” or accept this limited time super-deal. Most trustworthy organizations seldom pressure their users in such a manner.
The victim should also take a close look at the actual email address. If the address is strange, it should immediately be cause for concern, but sometimes it may say the sender is someone they know.
Many phishing emails are also sent from outside of the country, so numerous typos and grammar errors should also raise a red flag.
“The first signs you should look for are different email addresses that you wouldn’t normally see from that person – you recognize the name but you don’t actually recognize the email address,” Barwise said. “The other thing is the contents of the email – are there a lot of spelling and grammar mistakes? Because a lot of these ‘cyber-crimes’ come from countries outside of the United States, so their command of the English language is not necessarily the greatest.
“But also, what does the message tell you?” Barwise said. “Is it asking you do do something that’s unusual, and would it be best to probably pick up the phone and verify with ‘that person’ that this is in fact what you want me to do?”
If you are sent an email that you believe to be phishing or fraudulent, forward the email to email@example.com where the contents will be analyzed by the University’s technicians, who, if confirms the email fraudulent, will block the email – preventing it from breaking through our network’s firewall.
“Blocking it is only a temporary stoppage because an attacker is going to have multiple email addresses that they’re going to use for phishing campaigns. They’re targeting probably multiple universities or organizations and they’re using these different gmail, hotmail, or yahoo.com emails. If they’re really crafty, then they may use technology to make it look as though the email came from the entity they’re targeting,”
While no students at the University have been affected yet, several faculty members have been targeted.
The best way to protect yourself is to be on the lookout for anything fraudulent.
“Be safe online when it comes to emails and try to protect your personal data and information – the laws can only protect you so much,” Barwise said.
Joey Matsuzawa can be reached at firstname.lastname@example.org.