October is Cybersecurity Awareness Month!
Hosted by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA), the overarching theme of this month is to encourage individuals and organizations to “own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity”. In addition to this overarching theme, each week of this month will focus on a different aspect of cybersecurity and will include some recommended action items from ITS to help keep your part of cyberspace as secure as possible!
This week’s theme is appropriately called Phight the Phish.
Treat your personal information like cash. Don’t hand it out to just anyone. Verify that request is legitimate. Don’t be afraid to ask yourself, “Did I expect this email from this sender?” “What is this sender asking?” Ask, “Why?”
Phishing attacks are a type of social engineering that uses email or malicious website to infect your machine with malware and viruses to collect personal and financial information. Cybercriminals attempt to lure people like you and me, to click on a link or open an attachment that infects their computers, creating vulnerabilities for criminals to use to attack. It’s sometimes difficult to distinguish phishing emails from real financial institutions, e-commerce sites, government agencies, or any other service, business, or individual. When you click on a link or provide personal information, attackers use it to access your accounts.
Every time you are asked for your personal information – whether in a webform, an email, a text, or a phone call –think about whether you can really trust the request. In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information in the tips section below.
Learn to identify potential phishing attempts
Although phishing attempts are becoming more sophisticated in attempting to fool you, there are some ways to identify a suspicious email. The first thing to look out for is bad spelling, poor grammar, or formatting mistakes. This tends to be an obvious sign that the email is potentially a scam or malware. In addition, threats and statements of urgency by individuals, organizations, and companies you’ve never communicated with before are clear and obvious signs of a phishing attempt. Spoofing attacks use email addresses, sender names, phone numbers, or website URLs that are disguised as a trusted source.
To show you real examples of what attackers may email or text, the Federal Trade Commission’s OnGuardOnline initiative provides (among other helpful resources) three separate phishing attempts:
- “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below, and confirm your identity.”
- “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
Some simple tips to follow
Play Hard to get with strangers. Links in email and online posts are often the way cybercriminals compromise your computer. If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments found in the email. Be cautious of generic greetings such as “Hello Bank Customer,” as these are often signs of phishing attempts. If you are ever concerned about the legitimacy of an email, contact Penn Law ITS and we’ll assist in clarifying any potential phishing attempts.
Think before you act. Be wary of communications that implore you to act immediately or with urgency. Many phishing emails and text messages attempt to create a sense of urgency, causing you, the recipient, to fear their account or information is in jeopardy. The best way to act if you receive a suspicious email that appears to be from someone you know, reach out to that person directly. If the email comes from an organization but still looks “phishy,” reach out to them via customer service to verify the communication is legitimate.
Be wary of Hyperlinks. Avoid clicking on hyperlinks in emails and hover over links with your mouse to verify authenticity(Non-Penn Law emails). The original URL of the link’s destination displays in the lower corner of your browser. Also ensure that URLs begin with “https.” The “s” indicates encryption is enabled to protect people’s information.
Double your login protection. Enable multifactor authentication (MFA) to ensure that the only person who has access to your account is you. Check your banking, social media, and any other service that requires logging in for the option to enable MFA or 2FA. If MFA is an option, enable it by using a trusted mobile device, like your smartphone’s authenticator app.
If you need any assistance with identifying possible scams, feel free to reach out to Penn Law ITS at firstname.lastname@example.org.
“Don’t believe everything you read on the Interwebs.”