UCSB is participating in Cyber Security Awareness Month (CSAM) during October. The goal of CSAM is to increase awareness about cybersecurity and to educate the campus community on ways to better protect themselves and their devices from cyberattacks. This week we will focus on phishing, a type of social engineering.
Phishing is an attempt, usually by email, to obtain your personal information and commit fraud. Cybercriminals use phishing to manipulate people into doing what they want. These days technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low-risk; any cybercriminal with an email address can launch one.
Here are a few things you can do to guard against phishing attacks:
- Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
- Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via email, including the university. Not sure if the email is a phish? Contact your IT help desk.
- Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, delete it unless you are expecting it and are certain it is legitimate. If you’re not sure, call the sender at a number you know is legitimate to check.
- Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including email addresses, logos, and URLs, that are close to the links they're trying to imitate. There's nothing to stop them from impersonating the university, financial institutions, retailers, a wide range of other service providers, or even someone you know.
- Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via the website, email, or telephone number that you looked up – not what was provided in the message.
- Check the sender. Check the sender's email address. Any correspondence from an organization should come from an organizational email address. A notice from the university is unlikely to come from IThelpdesk@yahoo.com.
- Take your time. If a message states that you must act immediately or you will lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
- Don't click links in suspicious messages. If you don't trust the email, text message, or post, don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.
Students and faculty in our community have recently received emails as part of an advanced fee scam. This fraudulent scheme involves criminals luring victims with a counterfeit check to cover services, often inflating the amount. Subsequently, the scammer convinces the victim to pay a portion of the surplus to another party before the initial check bounces, resulting in the theft of their money. Avoid any communication via text message with the following two phone numbers: (626) 768-1837 and (626) 261-2174.
For more information, visit security.ucsb.edu or #phishUCinfosec, and don’t forget to follow @UCSBInfoSec on Facebook, Twitter, LinkedIn, and/or Instagram, where you can find the most up-to-date information about events we’re hosting this year. Thanks again, and we hope you stay cyber safe!