National Cybersecurity Awareness Month (NCSAM) is an opportunity to engage and inform the community about cybersecurity in order to create a safer, more secure, and more resilient cyber environment. This year marks the 11th anniversary of NCSAM, sponsored by the Department of Homeland Security and the National Cyber Security Alliance.
During the month of October, the University of Miami Information Technology (UMIT) department will be sharing important information, tips, and resources that will focus on different cybersecurity issues, including cyber crime, mobility, and online safety.
This week, UMIT focuses on phishing email scams. At times, these malicious emails appear to look official—as if they are coming from a University source—while at other times, they contain completely generic content. Phishing emails are effectively created to elicit curiosity and encourage individuals to click on Web links hosted at malicious sites. A best practice would be to never click on Web links embedded in the body of an email when you are unsure of the sender’s identity.
What are “phishing” emails?
The most common forms of phishing are emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks you to “confirm” your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they’re from the fraud departments of well-known companies and ask you to verify your information because they suspect you may be a victim of identity theft. In one case, a phisher claimed to be from a state lottery commission and requested people’s banking information to deposit their “winnings” in their accounts.
Here’s what you should do to protect yourself from email phishing:
• Never click on links within emails
Fraudsters use these links to lure people to phony websites that look just like the real sites of the company, organization, or agency they’re impersonating. If you follow the instructions and enter your personal information on the website, you’ll deliver it directly into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its website (use a search engine to find it).
• Beware of “pharming”
In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate website, you’re taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.
• Never enter your personal information in a pop-up screen
Sometimes a phisher will direct you to a real company, organization, or agency’s website, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
• Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date
A spam filter can help reduce the number of phishing emails you get. Anti-virus software, which scans incoming messages for troublesome files, and anti-spyware software, which looks for programs that have been installed on your computer and track your online activities without your knowledge, can protect you against pharming and other techniques that phishers use. Firewalls prevent hackers and unauthorized communications from entering your computer—which is especially important if you have a broadband connection because your computer is open to the Internet whenever it’s turned on. Look for programs that offer automatic updates and take advantage of free patches that manufacturers offer to fix newly discovered problems. Go to www.onguardonline.gov and www.staysafeonline.org to learn more about how to keep your computer secure. If in doubt, contact your system administrators to confirm your workstation is equipped with appropriate safeguards.
• Open email attachments only if you’re expecting them and know what they contain
Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
• Know that phishing can also happen by phone
You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
• If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information
Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don’t request your account number or other personal information. Law enforcement agencies might also contact you if you’ve been the victim of fraud. To be on the safe side, ask for the person’s name, the name of the agency or company, the telephone number, and the address. Get the main number from the phonebook, the Internet, or directory assistance, then call to find out if the person is legitimate.
• Job seekers should also be careful
Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person’s identity before providing any personal information.
• Be suspicious if someone contacts you unexpectedly and asks for your personal information
It’s hard to tell whether something is legitimate by looking at an email or a website, or talking to someone on the phone. But if you’re contacted out of the blue and asked for your personal information, it’s a warning sign that something is “phishy.” Legitimate companies and agencies don’t operate that way.
• Act immediately if you’ve been hooked by a phisher
If you provided account numbers, PINs, or passwords to a phisher, notify your system administrator immediately. For information about how to put a “fraud alert” on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission’s ID Theft Clearinghouse, www.consumer.gov/idtheft or 877-438-4338, TDD (202) 326-2502.
• Report phishing, whether you’re a victim or not
Alert your system administrator or agency that the phisher was impersonating. You can also report the problem to law enforcement agencies through NCL’s Fraud Center, www.fraud.org. The information you provide helps to stop identity theft.
Cybersecurity begins with a simple message everyone using the Internet can adopt: Stop, Think, Connect. Take security and safety precautions, understand the consequences of your actions and behaviors online, and enjoy the benefits of the Internet.
To learn more, and for tips on how to protect yourself from phishing, please contact UMIT Security at firstname.lastname@example.org.
If you suspect you may be a victim of phishing, please contact the UMIT Service Desk immediately:
- Coral Gables/RSMAS campuses: 305-284-6565, email@example.com
- Miller School of Medicine campus: 305-243-5999, firstname.lastname@example.org