Phishing is a method widely used by cyber criminals to reach ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û students, staff, and faculty. These cyber criminals are often attempting to gain access to private information which they then sell, resulting in identity theft and other cybercrime. As a member of the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community, you are a target of phishing and other cybercrime. Read on for further information.
-
What is Phishing?
-
How Does Phishing Work?
-
Why ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û is a Target for Phishing?
-
How Does Phishing Endanger ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û?
-
×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û's Phishing Awareness Program
-
How to Spot a Phishing Message?
-
What to Do if You Receive a Message You Think is Phishing?
-
Phishing Awareness ResourcesÌýat ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û
What is Phishing?
Phishing is a form of cybercrime that uses email and other communication mechanisms to trick people into divulging personally identifiable informationÌýor PII.Ìý PII is data that, either on its own or when combined with other data, can be used to identify a specific individual.Ìý Social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and username password combinations are all examples of PII.
Phishing Statistics:
- 85% of breaches involved a human element.Ìý(1)
- Almost half of the confirmed breaches in the education sectorÌýinvolved social engineering tactics.ÌýÌý(1)
- Phishing/Pretexting is the most prevalent social engineering tactic used against educational institutions.ÌýÌý(1)
- 85+% of phishing attacks are used to steal credentials.ÌýÌý(1)
1. Verizon Data Breach Investigation Report 2021
How Does Phishing Work?
Cybercriminals pose as legitimate businesses or organizations and send deceitful messages to trick their victims into:
- Providing their credentials (username and password) or other personally identifiable or private information
- Launching malicious files on their computersÌý
- Opening links to infected websites
- Opening attachments that do things like plant malware onto the user’s device that steals credentials and other PII directly by collecting this data when it is entered by the user
While the majority of phishing messages are delivered via email, they can also come from other sources, including: Ìý
- Phone calls/Voicemails
- Fraudulent software (e.g, fake anti-virus)
- Social Media messages (e.g., Facebook, Twitter)
- Advertisements
- Text messages
Why is ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û a target for phishing?
×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û, UNH, KSC, and PSU store and manage hundreds of thousands of records containing PII, which means we are a target rich environment. Ìý ÌýThe market for stolen PII is enormous and a single piece of stolen PII can sell for anywhere from a couple of dollars to a couple of thousand dollars, depending on the type of information. ÌýThis makes ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û a lucrative target for phishers.Ìý
How Does Phishing Endanger ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û?
Phishing is one of the topÌýcybersecurity threats the University SystemÌýfaces because it is often the primary attack vector used to obtain the information needed to launch other types of attacks. ÌýSimply opening an email, replying to an email, voicemail, or text, opening an attachment, or clicking on a link in a phishing message poses a serious security risk to you and the University System as a whole.
Some of the risks involved are:
- Identity Theft:Ìý
- Once you provide your personal information in response to a phishing attempt, this information can be used to access your financial accounts, make purchases, or secure loans in your name. Ìý
- Additionally, stolen PII can be a reportable breach, which can pose a significant financial risk for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û.
- Compromising Institutional Information:
- If your account is compromised, cybercriminals may be able to access sensitive institutional information like research data.
- Credentials obtained via phishing attacks can be used to get inside the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û network making it easier for cybercriminals to launch lateral attacks aimed at gaining access to secure resources.
- Loss of data:Ìý
- Some phishing attacks will attempt to deploy crypto malware on your machine, also known as ransomware, which is malicious software that encrypts the files on a computer and denies owners access to their files until they pay a ransom. Ìý
- Ransomware attacks can result in the loss of personal data as well as institutional and/or research data that is improperly stored on a single user device.
- Malware infection:Ìý
- Some fraudulent emails include links or attachments that, once clicked, download malicious software to your computer.Ìý
- Others may install keystroke loggers that record your computer activity including entry or usernames and passwords including those used to access your ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û accounts and any personal accounts (like your bank website) that are accessed via that device.Ìý
- Compromising Personal Information:Ìý
- If your personal information is accessed, attackers will scan your accounts for personal information about your contacts and will in turn attempt to phish for their sensitive information.Ìý
- Phishers may also send emails and social media messages from your accounts in an attempt to gain information from your family, friends, and colleagues.
×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û's Phishing Awareness Program
±«³§±·±á'²õÌýPhishing Awareness ProgramÌýprovides ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with a realistic phishing experience in a safe and controlled environment.Ìý Periodically, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members are sent simulated phishing emails that imitate real attacks.Ìý ÌýThis type of awareness trainingÌýprovides the University community with the opportunityÌýto become familiar with and more resilient to the kinds of tactics used in real phishing attacks.
There is no penalty for falling for one of the simulations.Ìý Those ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members who are susceptible to the simulated phishing attack will be notified that it is a simulation immediately and presented with educational material designed to decrease future susceptibility.ÌýÌýAny reporting on susceptibility is done in aggregation, only the members of the Information Security Services team that administer the program have access to information on specifics of susceptibility.
As the program matures, community members as a whole should be able to better spot phishing attacks, both at home and in the workplace.
Ìýfor more information on this program.
How to Spot a Phishing Message
There are often clues hidden in a phishing message that you can use to determine if a message you have received is a phishing message including:
- The message creates a sense of urgency meant to inspire a quick user response, generally by indicating the user needs to take action immediately in order to:
- Avoid a negative consequence like having email access shut off
- Get a positive benefit like a financial incentive
- See or learn something exciting or forbidden
- Most phishing messages include at least two of the following telltale phishing features:
- Lists a sender that differs from the email address it is sent from
- Claims to be from a legitimate company but come from an email address that is not linked to that company (i.e. claims to be from DHL but comes from a Gmail account)
- Has no branding of any kind (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or other company Logo, email signature, etc.)
- Includes references to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û departments or services that do not exist
- Uses unusual words, syntax, or phrasing; contains simple spelling and grammar mistakes
- Includes direct links to login pages
- Includes an attachment with a generic name
What to Do if You Receive a Phishing Message
Confirm ItÌý
- Check The Phishbowl to see if it is a known phishing email
- Legitimate University communications that have been reported as phishing are also posted here for your reference
- If you don’t see it on The Phishbowl, Don’t Assume it is Legitimate! ÌýIt may be an unknown phish that hasn't been reported yet.
Report It
- Use the 'Report Message' drop-down menu in Outlook to Report an email as Phishing to our Cybersecurity Team
- If you are unsure about a message and you cannot confirm it is legitimate, forward it to phishing.report@unh.edu and then delete the message; or
- If you click a phishing link or open an attachment, report it to your respective institution IT Help Desk. ÌýSometimes just clicking the link is enough to compromise your device even if you don’t enter your credentials.
Think Twice...Before Entering Your Credentials
- Always confirm a login page before entering your credentials
- Some Phishing messages provide links to a fake institutionÌýbranded login page that look just like the real one
- Others provide log in pages with institutionÌýbranding
- Keep your credentials safe by following these steps:
- Contact your Institution'sÌýHelp Desk and request assistance in confirming the login page that should be used for a specific service or application
- If it is a login page for another company, go to the company’s website and log in from their official site
- If you aren’t sure, DO NOT enter your credentials!
IT HelpDesk Contact Information
- Keene State - 603-358-2532
- Plymouth State -Ìý603-535-2929
- UNH -Ìý603-862-4242
Phishing Resources
The Phishbowl
The Phishbowl provides ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û users with a self-service way to determineÌýif an email they have received is a known phishing attempt.
Ìý
- Ìý
- Ìý
For questions about Phishing or to arrange in-person training for a department or group on campus, contact ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity.Ìý