In March, the University of Portland Information Services team launched its campus wide anti-phishing campaign to help raise awareness about the dangers of email phishing. The university has had a record number of phishing attempts over this past year. According to the U.S. Department of Homeland Security, this is the number one threat we face because it is such an effective way to steal credentials and spread malware. As part of the awareness campaign ,we kicked off our monthly ‘Phishing Derby’ and are excited to report that we had many staff, faculty and students who reported suspect emails. We have drawn the name of one lucky participant who will receive an Amazon gift card for $50.00. The monthly phishing derby continues in April. See below for more details.
UP staff, faculty and students have received malicious emails with links to fake login sites. Unfortunately, multiple UP community members have taken the bait. In some cases users have provided their login credentials that are then used to access their email and self-serve banner accounts. Often times phishing emails come with attachments that when downloaded infect devices with viruses or dangerous malware such as cryptolocker or ransomware.
The best defense against email phishing is education and awareness. We are using every avenue we can to get the word out. You will notice posters, online announcements, postcards and digital slides being distributed this month to help our campus members keep the dangers of phishing top of mind. Here’s what it takes to refuse the phishing bait:
- Learn How to Recognize Phishing Emails:
- Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good?
- Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
- Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
- Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
- When in Doubt, Report and then Throw it Out:
- When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
- Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
- Report ALL suspect emails to your IT department. Get in the habit of reporting suspect emails to information services. This enables us to remove similar emails from campus inboxes and quickly alert other campus users. To report suspect emails, forward the email to firstname.lastname@example.org,
- DELETE the email from your inbox. After forwarding the suspect email to email@example.com, delete the message from your inbox.
- Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
We invite all campus members to enter the MONTHLY PHISHING DERBY for a chance to win an amazon gift card!
To participate is easy, simply look for and report suspect emails to firstname.lastname@example.org. At the end of every month any member of our community that has reported a suspect email will be entered into a drawing to win an amazon gift card. Winners will be announced in our cybersecurity blog. We encourage everyone to help us combat phishing at UP!
To learn more about the dangers of phishing and how to combat it please see these additional resources:
If you think you may be the victim of a phishing attempt. Call the Help Desk (x7000) immediately and change your password. Our staff can help look at your account activity and scan your device for malware.