What is phishing?

What is Phishing?

Phishing is a cybercrime technique where attackers send fraudulent messages designed to trick individuals into revealing sensitive information, installing malicious software, or taking other action. These messages often masquerade as coming from reputable sources, aiming to exploit human psychology and security vulnerabilities. With the increasing sophistication of cyber threats, it's crucial to stay informed about the latest phishing trends and know how to protect yourself.

Understand Phishing

Phishing attacks have evolved beyond simple emails. Cyber criminals employ a variety of tactics, exploiting trust and urgency to deceive victims. Common phishing strategies include:

• Urgent Calls to Action: Messages that incite panic by claiming account issues, deadlines, or compromised security.
• Too Good to Be True Offers: Notifications about winning lotteries or receiving unexpected rewards.
• Account Verification Requests: Emails asking you to verify your account details or change your password.

Attackers may use official logos and branding to make their messages appear legitimate. They might also impersonate colleagues or high-level executives to add credibility to their requests.

Recent Trends

Spear Phishing and Whaling

• Spear Phishing: Targeted attacks aimed at specific individuals within an organization.
• Whaling: Phishing attempts directed at senior executives and high-profile targets.

Business Email Compromise (BEC)

Attackers impersonate company executives or vendors to trick employees into making unauthorized transactions or revealing confidential information.

Phishing via Collaboration Tools

Phishing attempts are increasingly occurring through platforms like Slack, Microsoft Teams, or Zoom, exploiting the trust placed in these communication channels.

QR Code Phishing

Scammers use malicious QR codes that direct users to fraudulent websites when scanned.

Deep-fake Technology

Advanced AI-generated voices or videos are used in Vishing (voice phishing) attacks to impersonate trusted individuals.

Vishing (Voice Phishing)

• Phone Scams: Scammers may call pretending to be from government agencies or businesses, requesting personal information.
• Caller ID Spoofing: Be aware that caller IDs can be faked to appear local or familiar. Call the person back if they are known to you.

Smishing (SMS Phishing)

• Text Message Scams: Malicious SMS messages may contain links to fraudulent websites or prompt you to reveal personal information.
• Reporting: Report smishing attempts to your mobile service provider by forwarding the message to 7726 (SPAM).

Identifying Phishing Attempts

Check Links Before Clicking

• Hover Over Links: Before clicking, hover your mouse over the link to reveal its actual destination.
• Inspect URLs: On mobile devices, press and hold the link to view the URL. Beware of mismatched, garbled, or incoherent addresses.
• Look for Mismatches: If a link claims to be from the University of Idaho but doesn't lead to www.uidaho.edu, it may be fraudulent.

Note: Email links protected by the UI's email filters may point to urldefense.com. These links allow for better response and blocking of malicious links after delivery. The original site is visible later in the text. For more information, see What is URL Defense?

Verify the Sender

• Unknown Senders: Be cautious with messages from unknown sources.
• Known Senders: Even if the sender is familiar, their account might be compromised. Always verify unexpected requests and contact the sender through a different channel to confirm.

Don't Open Unexpected Attachments

• Risky File Types: Be wary of attachments, especially Word documents and Excel spreadsheets, which can contain malware.
• Verification: If unsure about an email or attachment, contact the sender through a different communication channel to confirm its legitimacy.

Beware of Urgent Requests

• Pressure Tactics: Scammers often create a sense of urgency to catch you off guard.
• Unusual Requests: Emails asking for immediate assistance, money transfers, or sensitive information should be scrutinized.

Examine Email Content

• Spelling and Grammar: Poor spelling or grammar can be a red flag.
• Generic Greetings: Be cautious if the email doesn't address you personally.
• Unexpected Context: If the content seems out of character or unrelated to your work or interests, be suspicious.

Report Phishing Attempts

How to report a suspicious message 

If you're unsure about a website or email:

1. Use the Report Phish Button: This feature is available in your email client and sends the message directly to OIT for analysis.

          

1. Email as an Attachment: Forward the suspicious email as an attachment to abuse@uidaho.edu.
2. Provide Details: Include any additional information that might help in the analysis.

For more instructions, see How do I report a phishing message?

Frequently Asked Questions (FAQ)

Will OIT Ever Ask for My Password?

No. The Office of Information Technology (OIT) will never request your password via email, phone, or any other communication method. Only use your UI credentials on official UI websites.

How Do I Know a Message from OIT is Legitimate?

• Official Channels: OIT communicates through official university email addresses ending with @uidaho.edu.
• No Sensitive Requests: OIT will not ask for sensitive information via email.
• Verification: If in doubt, contact OIT directly through official contact information listed on the university website.

What If I Have Already Responded to a Phishing Attempt or my password is compromised?

1. Change Your Password Immediately: Log in to help.uidaho.edu to reset your password.
2. Notify OIT Security: Email security@uidaho.edu with details of the incident.
3. Monitor Your Accounts: Check for any unauthorized activity on your accounts.
4. Consult Support:
   • Faculty/Staff: Contact your TSP or Local Support.
   • Students: Reach out to the Student Technology Center.
5. Account Remediation: OIT will assist in securing your account and investigating unauthorized access.

Additional Resources

• University of Idaho OIT Security: OIT Security Website
• Federal Trade Commission (FTC): How to Recognize and Avoid Phishing Scams
• Cybersecurity & Infrastructure Security Agency (CISA): Phishing Guidance

Quick Reference Checklist

1. Inspect the Sender: Verify the email address and sender's identity.
2. Hover Over Links: Check the actual URL before clicking.
3. Avoid Urgent Requests: Be cautious of emails demanding immediate action.
4. Do Not Share Personal Information: Never provide passwords or sensitive data via email.
5. Report Suspicious Emails: Use the Report Phish button or forward to abuse@uidaho.edu.
6. Enable MFA: Use multi-factor authentication on all accounts.
7. Stay Updated: Keep software and devices up to date with the latest security patches.
8. Participate in Training: Engage in regular security awareness programs.

Communication Protocols

• Official Emails: Communications from the university and other approved vendors will not contain Email Warning Tags at the top of the message.
• Secure Channels: Sensitive information will be communicated through secure channels, not via email.
• Verification: When in doubt, verify the message by contacting the department directly using contact information from the official website.

 

Stay Vigilant

Cyber threats are continually evolving. By staying informed and following best practices, you can protect yourself and the university community from phishing attacks.