This is week one of Cybersecurity Awareness Month (CSAM), which aims to educate the campus community on ways to better protect themselves and their devices from unauthorized intrusions or cyberattacks. This week we will focus on phishing, a type of social engineering. Social Engineering in the context of IT Security is “any act that influences a person to take actions that may or may not be in their best interest.”
Phishing is an attempt, usually by email, to obtain your personal information in order to commit fraud. Cybercriminals use phishing to manipulate people into doing what they want. Social Engineering in the context of IT Security is “any act that influences a person to take actions that may or may not be in their best interest.” Social engineering is at the heart of all phishing attacks, especially those conducted via email. These days technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an e-mail address can launch one.
Right now, members of our community and at other UC campuses are reporting an uptick in fraudulent online banking accounts from Chime and GO2bank. You may see emails with different subject lines. For example:
- Welcome to Chime!
- Congrats! SpotMe is activated
- <YOUR NAME>. Your GO2bank account is ready to go
- Please verify your account
- Please confirm your email address
- Action Required: Activate Features
If you receive any messages like this and you did not open an account or activate any features with one of these banks, do not click any links. Please forward a copy of the email to firstname.lastname@example.org, then contact the bank directly and inform them that an account has been fraudulently created with your name and email address. Please ask them to close the account and confirm that they have done so.
You can contact Chime at 844-244-6363 or email@example.com. You may contact GO2bank at 855-459-1334 or by using one of the methods listed here.
You should always be on the alert for fraud from banks, credit cards, and all other financial institutions. If you receive information about activity that you did not initiate, contact the financial institution and report possible fraud.
Here are a few things you can do to guard against phishing attacks:
- Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
- Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via email. The University definitely won't. Still not sure if the email is a phish? Contact your IT help desk.
- Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it unless you are expecting it and are certain it is legitimate. If you’re not sure, call the sender at a number you know is legitimate to check.
- Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including email addresses, logos, and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating the university, financial institutions, retailers, a wide range of other service providers, or even someone you know.
- Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via the website, e-mail, or telephone number that you looked up – not what was provided in the message.
- Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational email address. A notice from your college or university is unlikely to come from IThelpdesk@yahoo.com.
- Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
- Don't click links in suspicious messages. If you don't trust the e-mail (or text message or post), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.
For more information, visit security.ucsb.edu or #phishUCinfosec, and don’t forget to follow @UCSBInfoSec on Facebook, Twitter, LinkedIn, and or Instagram, where you can find the most up to date information there about the events we’re hosting this school year. Thanks again, and we hope you stay cyber safe!
For specific steps you can take to guard against phishing attacks, visit security.ucsb.edu.
Sam Horowitz, Chief Information Security Officer (firstname.lastname@example.org)
Kip Bates, Associate Chief Information Security Officer (email@example.com)
Mirabelle Le, Cybersecurity Awareness Coordinator (firstname.lastname@example.org)