欧美视频

Submit
Open Calendar

Breadcrumb

Click to print this page

Avoiding Social Engineering and Phishing Attacks

 

Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information.  In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be your boss, a new employee, repair person, or researcher and even offering credentials to support that identity.

Phishing is a form of social engineering using email or a malicious website posing as a trusted organization.  Typically, these types of attacks lead the victim to a fake website to obtain login credentials and may request confidential information such as your social security number, credit card number, bank account, etc.

How to Detect Phishing

  1. Scrutinize website links
    • Hover your cursor over hyperlinks in the message. Does it match the domain name from the organization you trust? If not, do not click the link or open attachments, discard the message.
    • URLs designed to trick you appear to be legitimate (e.g. ucmo.somesite.com, somesite.com/ucmo)
  2. Spelling or grammar errors
    • Be wary if you notice misspelled words or grammar errors. Professional organizations rarely publish information without critical review.
  3. Tone of the message
    • Be wary of messages that try to induce panic, invoke a sense of urgency, have a threatening tone, or provide you with an irresistible opportunity.
  4. Generic greetings
    • Messages sent to multiple users might begin with a generic greeting that would apply to anyone (e.g. Hi, Hello)
  5. Purpose of the message
    • Determine the purpose of the message. Is it informational or are you being called to action? Be wary of messages that require you to login, make payment, or reply with sensitive information.
  6. Check the sender address
    • Be wary of email addresses that do not match the organization or person claiming to have sent the email. Be careful, this information is easily spoofed and may appear to be legitimate.
  7. Suspicious or unusual attachments
    • Treat all attachments and links with extreme caution, they may contain malware.

 

How to Detect Scams

Be wary of common indicators found in SCAM emails:

    • Opportunity to make money
    • Requests to send money for someone you have never met
    • The message invokes a sense of urgency
    • Your Grades or Enrollment status are affected
    • Requests to respond using alternate email or personal phone number
    • Mismatching contact information 鈥 the reply-to address to does not match information in the message
    • Use of unofficial email addresses for UCM faculty or staff
    • Requests to send money using unconventional payment methods (i.e. Bitcoin, Gift Cards, preloaded debit cards, iTunes cards, etc)

How to avoid being a victim

  1. Think before you click
    • Do not click links or open attachments in unsolicited emails. Curiosity is your enemy. Clicking on suspicious links or attachments could expose you to a malicious code designed to exploit a vulnerability in your web browser or operating system. Instead, use your own bookmark or type the URL in your web browser to visit the web site.
  2. Always verify requests for sensitive information or payment
    • Research businesses and companies before providing personal information, applying for jobs, or making housing payments.
    • Contact the organization or individual to determine if the request for information is legitimate. Do not use contact information provided in the email.
    • Never provide sensitive information via email.
    • Never provide sensitive information or payment to individuals or organizations you do not trust.
    • Be wary of emails from senior leaders. A common scam is to pose as senior leader to entice you into taking action such as sending W-2鈥檚 or financial transfers. These scams often induce a sense of urgency and/or desire for confidentiality.
    • Non-standard payment methods such as gift cards, wire transfers, or bitcoin are high indicators of a scam.
    • Get a second opinion from a family member or friend.
    • Do not deposit checks from people you do not know.
  3. Protect your personal computer with a firewall and anti-virus software.
    • Firewalls and anti-virus adds a layer of protection to help prevent malicious software from accessing your computer. Do not be lulled into a false sense of security as these security controls could be circumvented by your actions, think before you click.
  4. Update your applications and Operating System
    • New vulnerabilities in software are constantly being discovered and software developers are in a race to release patches. Be especially vigilant in updating your web browser and related plug-ins.

Example Spear Phishing Email

Email Image

 

What to do when you detect a phishing email.

The most important thing you can do is to report it.   In Gmail, next to the reply button, click the three vertical dots and select 鈥Report phishing鈥.  This action will trigger a notification to UCM鈥檚 Information Security team.

 

Please do not use this method to report 鈥淯nwanted Email鈥 (SPAM).  Instead, use 鈥淩eport SPAM鈥.  This action will train your email filter to deliver your unwanted mail to your SPAM folder.

 

 Report Phishing

 

What to do if you become a victim

  1. If you revealed your password, change it immediately.

  2. If you revealed sensitive information about the University, University network ID, or MyCentral account, report the incident to the Technical Support Center (TSC) at 660-543-4357 or tsc@ucmo.edu.

  3. If your financial information is compromised, contact your financial institution immediately.

  4. If you provided personal or financial information to an illegitimate site, file a report with the . 

    Victims of phishing and scams could become victims of identity theft; the provides steps you can take to minimize your risk.  You may contact UCM Public Safety or other law enforcement agency for additional assistance and information.

Additional Resources

 by the Federal Trade Commission

 by the United States Computer Emergency Readiness Team (US-CERT)

by the Cybersecurity and Infrastructure Security Agency (CISA) was reproduced under .

by google.com 

 

social-section