Office of the Chief Information Security Officer

Transcript Phishing

Things to know about Phishing at UW

Instructions
This training is approximately 9 minutes long. You can speed it up or slow it down using the controls in the player. A transcript can be accessed or downloaded from the transcript link.

Music

Introduction

“What’s this? Meeting notification? What meeting? I don’t have a meeting right now. Hey—wait a minute. This isn’t real. ”

What’s phishing? Phishing is a form of email fraud in which cybercriminals and other adversaries attempt to entice you to click on links and download attachments so that they can steal valuable data, including your UW NetID login credentials.

What do phishers do?

Well, once phishers obtain your UW NetID and password, they may use them to send spam and gain access to UW information systems, student, employee, and research data, and intellectual resources.

They may also use your credentials, along with other types of spoofed accounts, to carry out a variety of scams, such as luring people to buy gift cards, cash fraudulent checks, and pay on phony invoices.

Besides stealing credentials, phishing emails may deliver various forms of malicious software, or malware, that can be used for a variety of nefarious purposes.

Phishing at UW

One example of this kind of malware is Emotet. Emotet is a kind of malware “Swiss Army Knife,” because it offers attackers a wide variety of methods to infect computers, systems, and networks. It’s frequently used in mass malicious email campaigns, as well as for highly targeted attacks on specific individuals, departments, or organizations. You can learn more about this type of malware by clicking “Emotet” in the links menu.

Here at UW, we see many examples of phishing emails and scams on our networks every day. They may take the following forms:

  • Links in email that lead to malicious web pages where malware may be downloaded on to your computer.
  • Links that lead to phony login pages, even ones that look just like the official UW login page, where your credentials may be harvested to send spam or infiltrate UW information systems. Phony login pages may be crafted to look like your bank account, Office 365, Adobe, or other financial and software accounts.
  • They may come in the form of malicious attachments, such as invoices or spreadsheets, that contain malware that is activated once you open them.
  • Spoofed accounts–those are accounts that may appear to be from someone you know or from a University employee-but the email address that appears in your inbox is forged, or covers up the actual email address belonging to the adversary.
  • They may take the form of gift card scams, such as those that have the subject line “Are you available?” These scams are ones in which you receive a casual message seemingly from your boss–or your boss’s boss–or another acquaintance asking if you’re available, but it is followed up by a request to go buy gift cards, scratch them to reveal the numbers, and text or email them to the phony sender. These scams often include a request to send your personal phone or email address which helps the scammer bypass any protections already in place on university systems.
  • Other gift card scams may appear to be from University employees, asking you to buy the cards to pay for tuition and other fees. Please note that University employees will never ask you to pay using gift cards.
  • Gift card scams might also impersonate government agencies and services, such as the IRS, police or municipal courts, and immigration services to try to fool users into making phony payments.
  • These scams may take the form of internships and job offers that appear to be from legitimate employment agencies, and they use compelling offers that seem to be from real individuals and departments. These offers may range from pet sitting jobs to tutoring and remote assistant jobs to long-term research opportunities with professors–and they typically request that you contact them with your personal email accounts so they can take their deceptive activities off of the UW network.
  • There are also scams that take advantage of current events, such as coronavirus-themed email.
  • Another one is “I know your password.” These scams might try to trick you into believing that a password you discarded long ago might be used to blackmail you into paying large sums of money, usually in bitcoin, to an adversary–who likely found your old password in one of the many past breaches involving millions of old email and other accounts.
  • These scammers might also claim to have webcam evidence that you have engaged in embarrassing, illicit, or illegal activities.
  • By the way, you can find out whether one of your current or past accounts has been involved in a large-scale password breach at haveIbeenpwned.com.

Things to do
As you review each of these scams, remember that most of the harmful activities that target personal and UW data begin with just one click in one email, or with one phony malicious attachment.

So a breach of your personal and UW data, including student, employee, patient, research, and administrative systems might all begin with just one click.

But also remember there are several things you can do to stop attackers in their tracks.
Things to Do

  1. Think before you click on links or download attachments, even if it appears to be from someone you know. If you weren’t expecting the email or you are not sure of its origin, call–don’t email–the sender.
  2. Get in the habit of looking at the Internet address bar, especially on login pages, to make sure you are on the correct login page.
  3. Regularly check on the “Phishing Examples” web page on the Office of the CISO website to see phishing campaigns that are currently active–but know that those examples are NOT the only phishing emails coming in that day.
  4. If you do click on a link, and you realize it’s a scam, contact help@uw.edu for guidance.
  5. Use Sophos antivirus software and keep it updated. A home version of Sophos can be downloaded for personal computers and home use if you click on “Sophos” in the “Links” menu and follow the directions.
  6. Be wary of requests for transfers of money, job offers, or gift cards.
  7. Messages that solicit money, ask for your financial or bank account information, or offer to send you money should be regarded as highly suspicious.Be aware that scammers may send you phony checks that initially clear and make funds immediately available, and then bounce–leaving you on the hook for the money.
  8. Use strong passwords and protect your UW NetID credentials. Don’t reuse your UW NetID credentials on any other accounts.
  9. Using a password manager can help by only prompting on verified login pages. Phishing sites won’t prompt your password manager. Click LastPass in the links menu to find information about UW-IT’s LastPass service.
  10. Always keep your data backed up in case you are hit by a ransomware attack.
  11. Review the phishing infographic on the CISO website, share it with others, and post it in common areas.
  12. Report suspected email scams that target the UW to security@uw.edu. Report phishing messages to help@uw.edu. Find more information by clicking the Report link in the menu bar.

Thank you for watching, thanks for protecting UW data, and remember–don’t fall for phishing.