UC San Diego SearchMenu

Don’t be the Phish on the Spear

Learn how to prevent a cyber attack.

As every UC San Diego student, staff and faculty knows, emails come in by the tens or even hundreds on any given day. Some of those emails may appear to come from familiar sources such as a bank, social media, friends or even colleagues, but they may look odd or suspicious. These emails can range from a UC San Diego message indicating mail support for Internet Explorer IE 8 will discontinue to a “delivery failure notification” email from the U.S. Postal Service. What they are in reality, however, is a phishing scam.

The scammer’s goal is to use our dependence on mobile phones, tablets and computers to obtain personal information that can be sold, used to access bank, credit card or medical accounts, or for identity theft purposes.

IT Services recently posted an easy to follow guide “How To Identify Phishing Scams.” A phish is an email scam designed to acquire sensitive information from people, and these emails are most successful when they appear to come from a reputable source. Though phishing scammers are becoming more sophisticated, here are some tips to avoid falling prey to a cyber-attack.

Phishing Scams

  • Spear phishing is directed at specific individuals or companies, usually via email or direct messaging. What makes these types of scams difficult to detect is they appear to be from a legitimate source and attempt to secure an individual’s personal information using a fake website or infect their device with malware.
  • Clone phishing involves copying a previously delivered email which included a link or attachment. The scammers use that email content and recipient address to create an identical email. The scammers replace the attachment or link it with a malicious version and send it from an email address making it appear that it came from the original sender.

Identifying Phishing Scams

  • Look for irregularities such as misspellings, unnecessary capitalization or improper grammar that point to an email being a phishing email.
  • Beware of fraudulent university emails that appear to come from UC San Diego, UC San Diego IT Services or some other UC San Diego department:
    • Your email account is over quota.
    • You must click a link to reactivate or update your account.
    • You must provide your user information to keep your account active
  • Examples of scams from the Federal Trade Commission:
    • “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
    • “During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information.”
    • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

Additional examples of potential phishing scams

  • Misspelling of the company name or substituting the number “1” for the letter “l” in a web address (paypa1.com instead of paypal.com).
  • Transactional sites using http instead of https when the actual URL uses https (the "s" stands for secure).
  • Pop-ups that ask you to enter your username and password may direct you to a legitimate website to gain account or personal information.

Report Phishing Emails

IT Services Security team supports the secure use, processing, storage and transmission of digital information and media among the UC San Diego community, including faculty, staff, students and affiliates.

If you believe you are the recipient of a phishing email, you can forward it to abuse@ucsd.edu. By forwarding it to the IT Services Security team, you help reduce the potential risk to others.

For additional information on how best to keep your data secure, visit the UC San Diego IT Security page periodically for updates: UC San Diego IT Security.

Protect Yourself from Phishing Threats

There are a number of steps you can take to protect yourself from a phishing attack. Here are some easy steps to protect yourself, your personal information and your accounts:

  • Don't email personal or financial information.
  • If you do need to provide personal information:
    • Type in the web address yourself
    • Look for signals that the site is secure, like a URL that begins https.
  • Set up your email with a preview pane to view the message and the sender address. If the message doesn’t make sense, contact the sender via a separate email to confirm they sent it to you.
  • Be cautious about opening attachments and downloading files from emails, even from a trusted source. These files can contain viruses or other malware that can weaken your computer's security.
  • Install and regularly update anti-virus software, firewalls, email filters and antispyware.
  • Avoid clicking on hyperlinks in emails and type the URL directly into the address bar instead. You can check the authenticity by hovering the cursor over the hyperlinked word or URL to reveal the full address.
  • Use the campus spam preferences tool which enables the quarantine that catches phish along with spam so it isn’t delivered to mailboxes. Visit spam.ucsd.edu.

Category: News