What is Phishing?
Cyber criminals use email in malicious ways to gain access to data. Like a fisherman uses a hook to get a fish, the ultimate goal is to convince you to provide them with information they want. Phishing email often appears legitimate, so users fall for requests to click on links, open attachments, visit websites, or to respond to the sender with personal information.
Phishing attacks might involve one or more of these tactics:
Attackers will attempt to steal your University NetID/password or other sensitive login information.
Attackers will attempt to compromise your computer system by delivering malware through phishing emails.
Social Engineering is a psychological attack where you are tricked into doing something through various manipulation techniques.
Social engineering attackers commonly look to scam their victims out of money (often discussing money transfers or job offers).
What should I do if I suspect I have been phished?
Scenario: I have clicked on a phishing attachment, downloaded/ran a suspicious file, or experience suspicious behavior on my University computer.
Take Action: Report the behavior to the cybersecurity office by emailing email@example.com. The cybersecurity team will follow up with next steps, usually investigating the file and running a malware scan.
Scenario: I have accidentally given out my password.
Take Action: Immediately change your password for your University account, visit the NetID center at go.uis.edu/password.
Scenario: I have accidentally given out my personal information to a phishing attacker.
Take Action: Depending on the sensitive information given out, you may benefit from following the steps to recover from identity theft. The Identity Theft page on the FTC's website is a useful webpage which reviews common steps to take in response to identity theft. To file an identity theft report, you can contact campus police at 217-206-6690 if on campus, or your local police department if off campus.
What should I watch for to prevent being phished?
- Verify the authenticity of a message by researching the program/company online, confirming the email links to their legitimate website, and by analyzing the email content for anomalies. Attackers will often use intimidating or hurried language to get immediate action, it’s better to wait and confirm something is legitimate before acting. You can reach out to firstname.lastname@example.org to confirm an email is legitimate.
- Running unknown files is dangerous and can lead to a malware or ransomware attack. Always make sure programs and attachments are from trustworthy sources before running them, reach out to email@example.com if you are unsure of the authenticity of a file.
- Watch out for fake web pages that ask for information such as name, DOB, SSN, Driver’s license #, address, etc. Always be cautious when entering sensitive information online.
For additional help on identifying phishing and email spoofing attempts, you can try out a phishing training module at https://www.uis.edu/its/it-security/phishing-training.