UC San Diego SearchMenu

Cybersecurity Awareness

Find information on featured cybersecurity awareness topics.

Phishing for Trouble

It should come as no surprise that the more we interact in a digital space, the more we increase our chances of being targeted by scammers. This has been especially true for the university. The education sector has seen a rise in social engineering–based attacks over the years. Students, staff, and faculty have all suffered losses when personal data and/or research were disclosed to unauthorized parties. In more than 40% of these breaches, phishing played a part. 

What is phishing? 

For those less familiar, a social engineering attack through email is referred to as phishing. This involves the use of deception online to manipulate people into divulging personal information for fraudulent purposes.* 

What does phishing look like?

Scammers simply pose as a member of a legitimate organization, asking for things like the very information you should never divulge under any circumstances. These emails, however, appear quite innocuously to recipients, using mimicry to lull them into a false sense of security. For the criminal, it’s just a waiting game.

What can I do? 

Being aware is the first step. Knowing what you're up against can not only improve your chances of avoiding a potential phishing scam, but stop it before it gets to someone else. That’s why you need to be ever vigilant about the information you divulge online, and alert servicedesk@ucsd.edu if you believe you received a phishing email. It is always best to report phishing scams as soon as you suspect them. Remember, you could be saving someone else from being targeted.

Here's how to protect yourself from phishing attacks:

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via email. As a policy, the university will not.
  • Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, delete it unless you are expecting it and are absolutely certain it is legitimate. If you’re not sure, call the sender at a number you know is legitimate to check.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating the university, financial institutions, retailers, a wide range of other service providers, or even someone you know.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via the website, email, or telephone number that you looked up, not what was provided in the message.
  • Check the sender and the sender's email address. Any correspondence from an organization should come from an organizational email address. A notice from your college or university is unlikely to come from IThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don't click links in suspicious messages. If you don't trust the email (or text message or post), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password. Hover your mouse over the link (without clicking it) so you can see the actual destination website address.

Want to know more? Visit our how to identify phishing scams user guide, and for other effective cybersecurity habits, check out our 8 Habits.

 

*According to Verizon's 2017 Data Breach Investigations Report
This article has been adapted from an Educause Review blog, “Don't Let a Phishing Scam Reel You In.”
© EDUCAUSE, licensed under the Creative Commons BY-NC-SA 4.0 International license

Note: this page has a friendly link that is easy to remember: http://blink.ucsd.edu/go/cybersecurity