This month, University Technology’s ([U]Tech) Information Security Officeis marking National Cybersecurity Awareness Month by sharing information on different facets of cybersecurity.
Phishing (pronounced "fishing") is a technique cybercriminals use in order to “fish” for personal or proprietary information they can then use to steal money or even your identity, or to gain unauthorized access to information such as Case Western Reserve University’s technology infrastructure and data. Phishing has been a mainstay in the cybersecurity threat landscape for decades, yet it is still one of the most frequently seen and highly effective methods criminals use.
In 2020, 43% of cyberattacks featured phishing or pre-texting, while 74% of organizations in the United States experienced a successful phishing attack last year alone. Arming users with knowledge of how to recognize phishing, and what to do about it, is essential for our university’s cyber security.
Phishing works by employing "social engineering" techniques to manipulate the recipient’s emotions, such as trust, desire to be helpful, or fear, with the goal of causing the recipient to take some action on the cybercriminal’s behalf. That could look like:
- An urgent request from your supervisor to buy $200 worth of gift cards
- An offer for a game you can only download by clicking on the link in the email
- A threat that an account will be deactivated, unless you click a link and enter your login credentials
These are all examples of phishing messages we have seen "in the wild" in the Case Western Reserve environment.
Know the Red Flags
Phishers are masters of making their content and interactions appealing. From content design to language, it can be difficult to discern whether content is genuine or a potential threat, which is why it is so important to know the red flags.
Awkward and unusual formatting, a hyperlink that takes you to a page other than the one you intended to visit, an attachment you were not expecting from a sender you don’t usually receive email from, and subject lines that create a sense of urgency, are all hallmarks that the content you received could potentially be a phishing email. If you have suspicions about the authenticity of an email, forward the email to the Help Desk at email@example.com for additional verification, or mark it as phishing if you’re confident that it is malicious.
Verify the Source
Phishing takes a number of forms. However, many phishes will try to impersonate someone you may already know—such as a colleague, service provider or friend—as a way to trick you into believing their malicious content is actually trustworthy. Don’t fall for it. If you sense any red flags that something may be out of place or unusual, reach out directly to the individual in a separate email or message to confirm whether the content is authentic and safe. If not, break-off communication immediately. Hover before you click a link to see where it goes before visiting the page. Flag the email as phishing or report it to the helpdesk at firstname.lastname@example.org.
Be Aware of Vishing and Other Phishing Offshoots
As more digital natives have come online and greater awareness has been spread about phishing, bad actors are diversifying their phishing efforts beyond traditional email. For example, voice phishing—or vishing—has become a primary alternative for bad actors looking to gain sensitive information from unsuspecting individuals. Similar to conventional phishing, vishing is typically executed by individuals posing as a legitimate organization—such as a health care provider or insurer—and asking for sensitive information.
Phishing messages have also cropped up in text messages (known as smishing or SMS phishing), where a bad actor will pose as a legitimate organization or friend sending you a link to a "company page," "cash prize page," or other website to entice you to click the link on your phone. Once at the malicious website, you may be asked to provide your sensitive information, or the website may automatically load malware onto your phone.
In short, it is imperative that individuals be wary of any sort of communication that asks for personal information whether it be via email, phone, text or chat—especially if the communication is unexpected. If anything seems suspicious, again, break off the interaction immediately and contact the company directly to check the legitimacy of the messages.
What to do if you receive a phishing email
Phishing may be "one of the oldest tricks in the book," but it is still, unfortunately, effective. And although it may be hard to spot when you may be targeted by a phishing attempt, by exercising caution and deploying these few fundamentals, individuals and organizations more broadly can drastically mitigate the chances of falling victim to a phishing attack.
To report phishing or suspected phishing emails, forward the email to the helpdesk at email@example.com. You can also report the email as Phishing using Gmail and help train Gmail’s phishing filter (or use your web client’s built-in report phishing option). If a phishing email is already in your Spam folder, let it be or delete it—Gmail already knows that it’s phishing.
If you would like to learn more about phishing attacks and how to recognize them, visit the CISA security tips page. If you are in a Group email at Case Western Reserve, pass around information on how the group manager can reduce phishing emails using Message Moderation (it also reduces spam messages).
Visit the [U]Tech’s Information Security Office website for security tips and news.