Think before you click: Don’t get caught in phishing scams

The email certainly appears official: It comes from an @buffalo.edu address. There’s even a University at Buffalo copyright at the end. And the message hits us where we live — right in our email accounts.

But click on that link or open that attachment and there could well be trouble. You may have been phished.

While we’ve all been warned repeatedly by UB Information Technology (UBIT) about phishing activities targeting UB email accounts, it’s hard not to get hooked.

“We are seeing much more sophisticated phishing messages than in the past,” says Nadira Persad, UB’s information security officer. “Grammar in the messages has improved and they are very well done. Links in many of the messages take the victim to websites that look very similar to the UB login page and attempt to get the victim to enter his/her UBITName and password.”

And by entering that confidential data, students, faculty or staff may unwittingly be downloading a virus or malware that infects their computers and takes control of it, or installs keystroke-logging software that collects all the information that is typed in, including UBITNames or user IDs, passwords, credit card and debit card account information, pin numbers and social security numbers.

“Spearphishing” attacks are more personalized

Persad notes that while UB has filters that stop a significant amount of spam messages from making it into someone’s inbox, “It is a continual process to achieve the right balance between catching as much spam as possible and not marking legitimate messages as spam.”

Despite UBIT’s filters and attempts to intercept phishing emails before delivery, phishers are continually developing clever and creative ways to elude these preventions. They are turning to targeted attacks called spearphishing, she says.

“Spearphishing targets a specific person, group or organization by using carefully personalized and customized messages intended for the recipient using information that is publicly available,” she says. “The ‘sender’ appears to be someone from UB — a known and trusted individual, and sometimes someone in a position of authority; information in the message seems to be valid; and there is a request to do something or enter some data.”

Persad notes that in addition to emails, phishing can occur via phone calls or text messages.

“Smartphones make getting to your emails much easier, and you may not be as attentive about clicking on a link as you are on a computer. However, the same risks are present with smartphones,” she warns.

How to prevent getting hooked

So, what can we do to protect ourselves from phishing attempts? And what do we do if we get sucked in and open something that we shouldn’t?

Persad offers some good advice:

• Be a skeptic. Always be cautious about what emails, attachments and web links you open and be wary of any emails or phone calls requesting personal information or passwords. Treat unsolicited phone calls with skepticism and do not provide any personal information. If contacted by your bank or credit card company, hang up and call back using the information on the back of your credit card or on your statement. Remember: No legitimate source will ever ask you to disclose your password or other confidential information.
• Hover over the link in an email to see where it really goes. Sometimes the address in the link is slightly different from the real address, like buffalo.com instead of buffalo.edu, or has a variation in spelling. For sites you know well, it is better to directly enter a web link in a browser instead of clicking on the link in an email.
• Make your passwords long and strong, and change them regularly. Passphrases with a mix of characters work well and are easy to remember. Use different passwords for different accounts so a compromise only affects one account. Never share your password with anyone.
• Think before you click. Phishing emails generally have a sense of urgency to them or an incredible deal. If it sounds too good to be true, it usually is — you’ve won a lottery or you have unclaimed funds, for example.
• Avoid the social media trap. Be careful about the information you post on social media because the same data you willingly share can be used to target you. Bits of information across social media sites can be pieced together to create a good representation of who you are.
• When in doubt, throw it out. If an email seems suspicious, delete it or mark it as junk mail.

If you do open a phishing email and click on the link or input personal information, change your password immediately, Persad advises. “Depending on the data you input, you may want to put a block on your credit report, report the incident to your bank or report it to the local police if you believe you have been defrauded.”

UB employees who receive suspicious email attempting to steal UB passwords should send it to abuse@buffalo.edu. UBIT publishes such reports as security alerts to the campus community.

“We all need to be more attentive to these emails so we don’t become a victim,” Persad says.