Phishing attacks have been a problem for many years. Typically, hackers send messages asking members of our community to click on a link or reply to an email message with a password. Their goal is to trick our community members into giving them access to our accounts and information. Sometimes, they pretend to be DoIT and send messages to ask for your password or to tell you that there is a problem with your UMBC account.
Recently, hackers have expanded their efforts by trying to send messages as people from the campus community using that person’s name and title to request information. They try to choose a name or title that the community would trust. As examples, they have requested information about how to wire money out of the campus and get people to send checks to outside addresses. They have also requested that people send them files containing the social security numbers of community members. In some cases, they have also impersonated UMBC vendors. In each of these examples, they have tried to make their phishing messages appear to come from a person that the campus would trust.
Hackers are motivated by money and resources and will continue to try to get to our accounts, information, and resources. The only thing that can stop them is the UMBC community working together to block their attempts. Here are some questions that DoIT frequently receives and the answers:
- What is phishing/spam?
- How can I identify a phishing attack?
- What does DOIT do to protect me from phishing attacks?
- How do spammers get my email address?
- What information should I not send in an email?
- What should I do if I receive a suspicious email?
- How can I use password protection to prevent my account from getting hacked?
What is Phishing/Spam?
Phishing is the use of deception to acquire passwords, credit card numbers, and other sensitive information from a user. Email is the most common phishing medium. Phishers typically pose as a trusted entity, such as a system administrator, in order to scam their victims.
How can I identify a phishing attack?
To spot phishing emails, look out for the following:
- Unexpected messages making unexpected requests
- Does this email or direct message come from an unfamiliar sender who claims to know you, or a friend who you have not spoken to in a long time? Does the list of recipients contain people you don’t know or talk to? This is particularly true if the message asks for money or personal information.
- An offer that’s “too good to be true”
- It probably is, especially if important information like an employer’s address or a product’s shipping information is nowhere to be found.
- Phishy Links and Email Addresses
- Hyperlinks and sender emails appear to correspond to known domains and people, but something, sometimes a single letter, has been changed. This may require close examination; look for misspellings, dashes, or other deviations from what seems to be a legitimate domain
- An email requests your password, your credit card number, or other sensitive information
- Email is never secure for sharing this information, and most trusted services should already have it. On sites which ask you to provide personal information, like your credit card, look for “https” in the address bar to ensure the site is secure.
- An urgent tone
- If the sender says you must act now, uses fancy jargon or other intimidating language, ask yourself why.
- Something “off”
- Phishing emails often have an impersonal, awkward, unprofessional, or out-of-character tone. Many, but not all, phishing emails contain conspicuous typos, bizarre capitalization, or numbers used in place of letters.
- A prompt to open an attachment or follow a link
- Critically examine any email with an attachment, especially an unexpected one. If the link prompts you to “Sign In,” to an account, be extra suspicious. Do not “enable Macros” or allow similar permissions for attachments you do not trust.
What does DoIT do to protect me from phishing attacks?
When we discover phishing emails or they are reported to us, we normally block further email from the sender to prevent delivery of more email from them. We normally also block email (i.e. replies) TO the sender, so that no-one can reply to such emails (provided that no-one has already done so). We also normally check to see if anyone has already replied, and in such cases, we disable their account temporarily to prevent the fraudsters accessing it. None of this can happen instantly, of course, and that is why you must also play your part in helping to keep your account secure.
How do spammers get my email address?
There are lots of ways for spammers to obtain your address.
- Any public source of information will do – they look everywhere and anywhere.
- Web pages are the most common source.
- Some email lists, newsgroups, etc. can make your addresses visible and open to being harvested.
- Addresses are sold as often as possible.
What information should I not send in email?
No one should ever send passwords or confidential information in an email message.
Confidential information include: social security numbers, driver’s license numbers, passport numbers, and financial account numbers. This information is classified as confidential information under the policies of UMBC, the University System of Maryland, and the State of Maryland. Passwords and confidential information can never be sent through email. This includes the body of an email message and as an attachment to a message. For in depth information about our data classifications and use, please see the following two links:
What should I do if I receive a suspicious email?
Do not click any attachments or links in an unsolicited or suspicious email, even one that says “unsubscribe.” Never respond to suspected phishing emails, and never send personal information like passwords via email.
If you think that the message is asking you to do something that seems unusual, look up the phone number of the person the message is from in the UMBC directory, call the person, and ask them if they really sent the message. Do not call a person back at a phone number that is listed in the suspicious email message. The phishing message may include the phone number of the hacker. For example, if you get a message saying that there is a problem with your computer account and you aren’t sure if it’s a real message, please call the DoIT Technology Support Center (410-455-3838) and ask if it’s a real message. This also applies to any messages that might appear to come from Human Resources, Finance, Financial Aid, or any other department. If the message seems strange, trust your instincts, look up the correct phone number for the person, and call to verify the message.
If you believe the message to be a phishing email, send a copy of the “full headers” and as much information as you can to email@example.com. DoIT will review the messages, verify that they are phishing messages, and take steps to try and protect the rest of the community.
Gmail may block sending of an email if it has already been identified as fraudulent. If this is the case, you do not need to forward the copy to firstname.lastname@example.org.
Once you’ve reported any phishing messages to email@example.com, please delete the messages, and very importantly, never click on the links in a phishing message. Just by clicking on the link in a phishing message, you may download a malicious program onto your computer.
Here are a few ways you might recognize these messages:
- They ask you to provide your username and password or other personal information (e.g. Social Security number, bank account number, PIN number, credit card number, mother’s maiden name, or birthday). Even if they appear to be from a legitimate source, or contain an official-looking web page, be careful. Spammers often ask for this information in an attempt to steal your email address, your money, your credit, or your identity.
- You might see a warning from Gmail when you open one of these messages. These phishing alerts operate automatically, much like spam filtering. Gmail’s spam filters automatically divert messages that are suspected of being unwanted messages into ‘Spam’. Similarly, Gmail’s phishing alerts automatically display warnings with messages we suspect are phishing attacks so you know to exercise caution before providing any personal information.
See How can I identify a phishing attack? for more tips.
You should always be wary of any message that asks for your personal information, or messages that refer you to a webpage asking for personal information. One thing to be sure of: UMBC, Google or Gmail will never ask you to provide this information in an email; if the message asking for it claims to be from us, don’t believe it.
How can I use password protection to prevent my account from getting hacked?
Simple measures, like passwords, are things that we don’t put much thought into. How many of us have one or two general passwords that we use for all our accounts? Just thinking about it only makes you realize how much trouble you would be in if this actually came to pass. It’s always better to be safe than sorry so now’s the perfect time to reconsider how you protect your accounts. Here are some tips to consider in order to decrease the chances of your account getting hacked:
- Change your password periodically: Regular password changes are theoretically a good idea because they ensure someone can’t acquire your password and use it to snoop on you over an extended period of time. For example, if someone acquired your password they can log-in as you and monitor your private conversations as well as use your identity to send unwanted emails.
- Don’t use simple passwords: Avoid consecutive keyboard combinations such as “qwerty” or “1234”. Do not use personal information such as your name, date of birth, age, pets name, etc.
- Use a combination of letters/number/characters: Use at least 8 characters of numbers, letter, and/or symbols. A lot of sites include a password strength analyzer. Use this tool to create a strong combination to obtain the safest password. You can also make it fun! For example, the password “2B-or-Not_2b?” is a strong combination of letters, numbers, and symbols that says “to be or not to be”.
- Manage your passwords: It’s already hard enough trying to remember all of your passwords, but when you have to constantly reset your password it gets annoying. It’s okay to write your passwords down as long as they’re in a secure place. You can also use online tools to manage your passwords.
- Logout: A lot of times we forget to logout when we’re in a public place. Make sure to logout every time you step away from your computer. The next person to gain access to your computer can easily gain access to your accounts.