Avoid Phishing

October 01, 2019

Social Engineering is now the number one cause of breaches!

Social Engineering is any act that influences a person to take actions that may not be in their best interest. Scammers trick people to obtain access to systems and confidential data that can lead to a part of a bigger scheme.spearphish.jpg

Phishing is the most common form of social engineering, phishing uses emails that appear to come from legitimate sources to trick people into giving out information or clicking on malicious links. They frequently employ tricks that put end users into emotional states that cause them to act without thinking.

Spear Phishing is similar to phishing but the attacker customizes the email specifically for an individual to make the phish seem more real. They often target key employees with access to critical and confidential data.

Here are some tips and examples: 

Watch Out. We've been seeing a lot of scams that target people by pretending to be support personnel, like ITS or Apple/Microsoft. The scammers eventually ask for remote access to be installed and/or gift cards to be purchased. 

Limit what you share online. The less you share about yourself, the smaller the target you are for a social engineering attack. Cybercriminals use information you post online to learn how to gain your trust. 

Answer security questions with information that is not easily discerned. Make it harder for someone to social engineer or even guess the answers to your security questions.

Protect your credentials. No legitimate company or organization will ask for your username, and password or other personal information via e-mail, phone, or text. The university definitely won't.  

Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, verify that it is legitimate. spearphish.jpg

Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. 

Take your time. If a message states that you must act immediately or lose access, do not comply.

Don't click links in suspicious messages. If you don't trust the e-mail (or text message or post), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.

You are at the front line for protecting yourself and the campus community, so make sure you stay aware and alert.  

Report the phish, then delete it.

Report to ITS: Copy the entire message including full headers and send to help@ucsc.edu. Full headers are a critical resource in determining the origin of a phishing email. ITS needs full headers to investigate the phish. Instructions for full headers.

Report to Google: If you are using the UCSC Gmail web interface, open the message, click the Down arrow (next to the Reply button), and then click Report phishing.

Email phishing generally targets large numbers of people at once. The faster you tell people, the quicker ITS can respond and the safer your colleagues will be.

Policy Wonk Section

UC Account and Authentication Management Standard

Section 4.2: Multi-Factor Authentication

  • Accounts used to access Institutional Information or IT Resources classified at Protection Level 3 or higher and IT Resources classified at Availability Level 3 or higher must use multifactor authentication.

Multi-Factor authentication (MFA) is mandatory for UCSC services using the CruzID Gold password login. Student data and personnel records are classified as P3. If you work with this type of data, enabling MFA helps you meet this requirement.

Section 4.5: Using UC usernames and passphrases for non-UC business

  • Workforce Members must not use UC user account names (email, logon name or netid) as the primary identifier on non-UC accounts created for non-UC purposes (e.g., sammy@ucsc.edu must not be used as the account name for a personal account).
  • Workforce Members must not use UC passphrases for social media, shopping or other personal applications.
Keep your work and personal accounts separate. The less your CruzID and passwords are used in the wild, the less likely hackers will gain access to this information.