In a guest post for National Cyber Security Awareness Month, Terri Buckner, Information Security Project Manager at Information Technology Services, explains what phishing is, the extent of the problem and how to protect yourself from phishing attempts.
Internet and phone scams, collectively known as phishing, have been targeting Orange County and UNC-Chapel Hill at an increasingly higher rate this year. The scammers’ goals are to lure victims into giving away sensitive information through claims that sound legitimate (like bait used in fishing). Those who take the bait may suffer from identity theft and/or financial loss.
The Ponemon Institute estimates that phishing attacks cost the average organization of 10,000 employees some $3.7 million a year. Here at UNC-Chapel Hill, the ITS Service Desk receives roughly 1,000 reports of phishing emails each month, many of which result in compromised Onyens.
Phishing vs. marketing spam
Phishing is different from marketing spam. Spammers try to trick you into buying something. The Nigerian prince asking you to send money is another form of spam. Although spam is the most prevalent type of phone and Internet scam, phishing is the most malicious. In phishing the goal is to acquire sensitive information such as passwords, account numbers or even Social Security numbers. Spammers may want your money, but they don’t care about your sensitive information. Both are bad, but getting caught by a phish can have long-term ramifications.
One frequently reported phone phish is from phishers who say the Internal Revenue Service has filed a lawsuit against you. “This call is officially a final notice from the IRS, Internal Revenue Service. The reason of this call is to inform you that the IRS is filing a lawsuit against you.” Another call claims to be from “the Microsoft Service Center.” Phishers claim that your computer has been hacked and they need to fix it. The first call wants your Social Security number; the second wants your password. If you get one of these calls, hang up!
How we make ourselves vulnerable
Online phishing is made easier by the ubiquity of email and web surfing. Most of us aren’t cybersecurity experts. We follow practices that may make us vulnerable to phishing, like creating passwords that are easy to remember instead of ones that are hard to crack. Because so many people use the same passwords for multiple purposes—such as email and bank accounts—acquiring your password can be a gateway to other sensitive information, such as bank and credit card numbers and loan and credit history reports that contain your Social Security number.
What is malware?
Malware is computer code intentionally designed for malicious purposes, such as taking control of your system or deleting data. It is similar to phishing in that it gets installed by a hacker convincing you to do something that is not in your best interest, like opening an attachment or clicking on a malicious link. Ransomware is a particular type of malware that blocks your access to your own computer until you pay a ransom.
How to fight phishing
The best protection against phishing is to simply hang up on the phone caller or to delete the email. But sometimes the phish is so devious, you don’t immediately recognize it as such. Here are some best practices to help you know when you’re being phished:
- Don’t open attachments if you don’t know the sender or if the email seems odd.
- Be judicious about opening websites. The Web of Trust provides a “reputation” graphic to steer you away from sites known to be fraudulent: https://www.mywot.com/.
- Use complex passwords: no dictionary words, 10+ characters and a combination of letters, numbers and special characters. Never use your birthdate or other easily found information.
- Don’t re-use passwords for sensitive accounts such as bank accounts. A password vault such as Last Pass will store complex passwords until you need them.
- Don’t unsubscribe from mailing lists that you don’t recognize as lists to which you subscribe.
- Learn to look for URL spoofing, also known as forged links, before you click. When you hover your mouse over a link (don’t click on it!), you may see a different URL down on the bottom left corner of your browser window.
- Use the same hover method on email addresses. Hover over the address in the “from” field to make sure the domain name (@google.com) is the same as the one you see.
- Update your software, including web browsers, as soon as new versions become available. Software developers do their best to fix vulnerabilities, so make sure you take advantage of their efforts to keep you safe online.
- If you do get a phish through your UNC-Chapel Hill email account, check the Phish Alerts database. If the phish you received isn’t in the database, forward your phish to email@example.com ASAP.
Remember, legitimate organizations such as the University, your bank and the IRS will not ask you for account numbers, passwords or any other sensitive information over the phone or online. For more tips and tools, see Stay Safe Online at: https://staysafeonline.org/stay-safe-online/.