What is phishing?

• Overview
• Identifying Phish
  • Check links before clicking
  • Verify the sender
  • Don't open unexpected attachments
  • Beware urgent requests
• How do I report a message for analysis?
• Vishing and Smshing
• Phishing Exercises
• FAQ
  • Will OIT ever ask for my password?
  • How do I know a message from OIT is legitimate?
  • What if I have already responded to a phishing attempt?
  • My account or password is compromised. What should I do?

Overview

Phishing messages are malicious emails designed to trick you into giving out personal information or running a malicious program. Cyber criminals employ a variety of tactics, so diligence is needed when processing email. Often a phishing message is an urgent call to action, inciting panic by claiming account issues, deadlines, or compromised security. Be wary of messages that seem too good to be true. You won the lottery! Or did you?

Cyber criminals also try to get you to click on malicious links under the guise of account verification or password expiration. Often these messages are marked “Urgent” and contain links to sites that are false, and designed to steal your information or hack your computer. They may even include official UI logos to make the message more realistic.

Request security assistance

Identifying Phish

Check links before clicking

Before clicking a link, hover your mouse over it to reveal its destination. On your mobile device, press and hold on the link to reveal its URL. Is the address different than what you expected? Is it garbled or incoherent? Does it claim to be from the university, but is something other than www.uidaho.edu? It might be a fake.

Email links protected by the UI's advanced email filters may to point to urldefense.com. These links are not neccesarily safe; the urldefense.com domain allows OIT to better respond to and block malicious links after delivery. If you hover over a link and it shows "urldefense.com", check the entire link text - the original site is visible later in the text. For more information, see What is URL defense?

Verify the sender

Do you know the sender of the message? Messages from unknown senders may be phish and warrant extra scrutiny. It's important to note your contacts could have been compromised and their accounts used to send malicious emails, so messages from known senders should still be handled with discretion.

Don't open unexpected attachments

Does the message contain attachments? Be wary of attachments in email, especially Word documents and Excel spreadsheets as these can be infected with malware. If you are unsure about an attachment, report the email message to OIT for attachment analysis. See How do I report a phishing message? for more information.

Beware urgent requests

What action is the message asking you to take? Scammers often create a false sense of urgency to catch recipients off guard. If you receive an email informing you your email account is about to be closed, or a colleague sends a short email asking if you are available without further context, watch out! It may be a phishing attempt. If the email is from a colleague asking for urgent assistance, check the sender's email address - the message might not be from your colleague but a scammer impersonating their identity.

When in doubt, report the message to OIT for analysis.

How do I report a message for analysis?

Unsure about a website or email? Report it to OIT for analysis using the Report Phish button or by sending as an attachment to abuse@uidaho.edu. See How do I report a phishing message? for more instructions.

Vishing and Smshing

Vishing refers to telephone scams. Scammers may call pretending to be a government agency asking for your Social Security Number, or an autodealer informing you your car warranty has expired and asking for a credit card to renew. Caller ID is often spoofed - a call showing an Idaho number may actually be out of the country. Exercise caution when answering unsolicited phone calls.

Smshing refers to malicious SMS or text messages. Similar to phish, such messages may ask you to tap a link and visit a webpage. Check the message sender and scrutinize any links. If you do not know the source number, it may be a scam.

Phishing Exercises

OIT sends out fake phishing messages to employees on a routine basis. These messages look and function like real phish so you can practice spotting and reporting these scams. If caught by a fake phish, training materials will be available to help you identify future phishing messages. Results of these campaigns will be shared only in aggregate. Outside of specific compliance areas, no users will be identified.

FAQ

Will OIT ever ask for my password?

No! OIT will never ask you for your password. Only use your UI password for UI sites.

How do I know a message from OIT is legitimate?

OIT will never ask you to put sensitive information into an email, as it is an insecure communication method. If in doubt, contact your TSP or Local Support (staff or faculty) or the Student Technology Center (students).

What if I have already responded to a phishing attempt?

If you clicked on a link in a phishing message or responded to the email with personal information (such as your password or photos of a gift card), change your password immediately and notify the Information Security Office at security@uidaho.edu.  OIT will work with you to remediate your account and determine if unauthorized access occurred.

My account or password is compromised. What should I do?

If you suspect your account or credentials have been compromised, change your password immediately by logging in to https://help.uidaho.edu/. You can also contact your TSP/Local Support (staff or faculty) or the Student Technology Center (student) to change your password over the phone or in person. Please notify security@uidaho.edu and your TSP, Local Support, or STC as soon as possible for further remediation.  OIT will work with you to remediate your account and determine if unauthorized access occurred.

Request security assistance