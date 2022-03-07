You check your inbox and see an offer that looks too good to be true: $500 weekly just to enter numbers for one to two hours a week? As a student working off campus, you feel like you hit the jackpot. Instead of thinking about the opportunity, you think about what you could do with all that extra time, and how you could start accruing a savings account. Even better, you finally consider what college would be like without relying on your part-time service job.
Without thinking too deeply, you click the link on the email and provide your UW NetID log-in credentials. Instead of receiving a follow-up email from the professor supposedly responsible for this opportunity, you hear that their email was compromised and that you fell victim to a scam.
The situation may sound familiar to victims of phishing scams. Phishing — one of the most prominent cybersecurity breaches — manipulates human vulnerabilities to get the victim to give up sensitive information on a false premise of trust.
The Office of the Chief Information Security Officer (CISO) provides specific resources and training to teach students, faculty, and staff about how to navigate safely online. Melissa Albin, an information security analyst for CISO cyber intelligence, created several videos and infographics to explain why phishing is important and how to prevent breaches in your confidential information.
There are two major forms of phishing: spear phishing and whaling. Spear phishing refers to emails sent by a trusted sender — such as UW, your bank, or a hospital — attempting to solicit sensitive information. These are more common and can catch anyone off guard, including security professionals.
Whaling is a form of phishing where the sender claims to be a high authority (i.e. someone who you ordinarily would not communicate with), such as a Nigerian prince or the CEO of a Fortune 500 company, and asks for you to reveal sensitive information.
Both forms of phishing are used to gain credentials and potentially initiate a ransomware attack — a type of cybersecurity breach where the adversary encrypts or renders your files inaccessible without a decryption key, and continues to rise in prevalence.
Ransomware as a Service (RaaS) is a business model where users can pay someone to conduct a ransomware attack against a target.
“One way ransomware is delivered is through phishing,” Albin said during a ransomware training. “Cyber thieves may send links in email, but they also may attack your computer with infected attachments, such as invoices. Or they may take advantage of vulnerabilities in software and technologies such as Remote Desktop Protocol.”
Despite the ongoing threat of phishing, there are several ways to protect yourself and be informed before clicking links or downloading files in an email.
There are ways to check the link provided in an email to ensure it is valid without clicking on it. Most email browsers will show you the link address as you hover over it.
Andrew Reifers, associate teaching professor in cybersecurity, said that if the hover feature does not indicate the immediate address (i.e. a link that reads goodguy.com leads to badguy.com), you can check the hyperlink attribute embedded into the hypertext markup language, or HTML, script.
In HTML, you can attach a link to a piece of text by embedding it into the <a> (anchor) tag. For example, “<a href = ‘badguy.com/dobadstuff’> goodguy.com/goodstuff </a>” will lead to the address captured in the href, or attribute signals to your computer to go to that address if you click on the embedded text.
Being able to compare the link in the href attribute against the text provided is a simple way to assess whether the email is prompting you to go to a trusted source.
Beyond these simple tactics, UW and other public institutions follow other practices to ensure you log in to a trusted site rather than giving any credentials directly in an email. Most UW services will ask you to log in to your MyUW or another account to check issues regarding your financial aid, courses, and other changes in your academic status.
“Only provide or update your personal information through MyUW,” Albin wrote in an email. “The UW will use the information you have provided in MyUW to communicate with you or disburse aid to you. For more information about emergency aid, see the Student Financial Aid Office website.”
What should you do if you have been compromised? Be sure to change your passwords immediately, especially if you used the same passwords for multiple accounts (and if you are guilty of this, most security professionals recommend switching to a password manager that generates complex passwords for each account you use).
After noticing a breach, ensure you closely monitor activity after you change credentials to make sure no unauthorized activity is occurring. Falling victim to phishing or otherwise experiencing a breach in an account is a cause for concern, but not for panic. Implement multi-factor authentication if you have not already and follow these tips to stay safe.
