Oct 11, 2022 | Jeremy Shelley, CISO Cybersecurity is at the forefront of operational priorities at most universities. High-profile data breaches have taught the hard-earned lesson that the protection of data and personally identifiable information (PII) needs to take precedence. Among one of the most prevalent threats to organizations is phishing. Phishing is a type of cyberattack that uses email, voice calls or text to entice individuals into providing personal or sensitive information such as passwords, credit card information, social security numbers, or details about a person or organization. Attackers pose as legitimate representatives to gain this information in order to access accounts or systems, often leading to identity theft or significant financial loss. According to the 2022 Verizon Data Breach Investigations Report (DBIR) Phishing scams account for nearly 80% of security incidents. Because these attacks rely on human fallibility rather than the strength of your systems, they can be difficult to combat. Doing so requires diligence by everyone who uses UAH information systems, including you. How Does Phishing Work? Phishing scams happen over various forms of communication, notably email, text and voice calls. Attackers are hoping to be trusted, so they make efforts to masquerade as legitimate representatives of organizations, often constructing emails that appear genuine or making phone calls in a manner that sounds like valid requests for information. Phishing works mostly by manipulation and relies on human interaction, with victims unknowingly clicking on a malicious link or providing information to an attacker. How to Prevent and Protect Against Phishing To help prevent phishing attacks, you should observe general best practices, similar to those you might undertake to avoid viruses and other malware. Make sure your systems are updated to the most recently approved software patches available in accordance with the Security of IT Resources Policy. Refrain from disabling or attempting to disable security software installed on your UAH system. Be wary of posting your personal information, such as your birthday, on social media. Be especially wary of emails whose subject begins with “[EXTERNAL]” as UAH’s email system adds that information to alert you when an email originated from a non-uah.edu account. Reporting all spam and phishing emails you receive by clicking the 3 vertical dots in the upper right of the email and choosing either “Report Spam” or “Report Phishing” in the drop down menu. Verify all links in emails before you click on them. Watch the video below for more information on how to examine links. Normally the link information is viewable by hovering over the link. The link may be in the lower left corner of the browser window, depending on your system. Only open attachments you are expecting and from a trusted source. When in doubt, check with the alleged sender directly. Never give away personal information in an email or unsolicited call. For instance, financial institutions will never call and ask for login credentials or account info. Beware of urgent or time-sensitive warnings. Phishing attacks often prompt action by pretending to be urgent. Examples include alerting you to someone changing your bank account information or alerting you to an “F grade”. Remember, when it comes to thwarting a phishing attack, it’s safer to have a healthy amount of skepticism about what you receive via email. The key to protecting against phishing lies in the ability to recognize the cyberattack as illegitimate. We depend on all of you to help keep UAH safe.