Published April 2, 2015
The email certainly appears official: It comes from an @buffalo.edu address. There’s even a University at Buffalo copyright at the end. And the message hits us where we live — right in our email accounts.
But click on that link or open that attachment and there could well be trouble. You may have been phished.
While we’ve all been warned repeatedly by UB Information Technology (UBIT) about phishing activities targeting UB email accounts, it’s hard not to get hooked.
“We are seeing much more sophisticated phishing messages than in the past,” says Nadira Persad, UB’s information security officer. “Grammar in the messages has improved and they are very well done. Links in many of the messages take the victim to websites that look very similar to the UB login page and attempt to get the victim to enter his/her UBITName and password.”
And by entering that confidential data, students, faculty or staff may unwittingly be downloading a virus or malware that infects their computers and takes control of it, or installs keystroke-logging software that collects all the information that is typed in, including UBITNames or user IDs, passwords, credit card and debit card account information, pin numbers and social security numbers.
“Spearphishing” attacks are more personalized
Persad notes that while UB has filters that stop a significant amount of spam messages from making it into someone’s inbox, “It is a continual process to achieve the right balance between catching as much spam as possible and not marking legitimate messages as spam.”
Despite UBIT’s filters and attempts to intercept phishing emails before delivery, phishers are continually developing clever and creative ways to elude these preventions. They are turning to targeted attacks called spearphishing, she says.
“Spearphishing targets a specific person, group or organization by using carefully personalized and customized messages intended for the recipient using information that is publicly available,” she says. “The ‘sender’ appears to be someone from UB — a known and trusted individual, and sometimes someone in a position of authority; information in the message seems to be valid; and there is a request to do something or enter some data.”
Persad notes that in addition to emails, phishing can occur via phone calls or text messages.
“Smartphones make getting to your emails much easier, and you may not be as attentive about clicking on a link as you are on a computer. However, the same risks are present with smartphones,” she warns.
How to prevent getting hooked
So, what can we do to protect ourselves from phishing attempts? And what do we do if we get sucked in and open something that we shouldn’t?
Persad offers some good advice:
If you do open a phishing email and click on the link or input personal information, change your password immediately, Persad advises. “Depending on the data you input, you may want to put a block on your credit report, report the incident to your bank or report it to the local police if you believe you have been defrauded.”
“We all need to be more attentive to these emails so we don’t become a victim,” Persad says.