Falling for a Phish Can Lead to an MFA Bombing Attack

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

Cybercrime Spikes at Start of Semester

Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)

In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.

In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.

Have a great semester and GO GATORS!

Social Engineering Pages Added to Website

UFIT recently added new pages to https://security.ufl.edu/ that educate about social engineering scams. The university community is a huge target for social engineering attacks–attacks that include phishing and smishing. By reviewing the social engineering webpages, Gators can learn the difference between everyday communications and an actual social engineering attack.

https://security.ufl.edu/resources/protect-my/socialengineering/

Received a text recently saying your UF email account will be suspended if you don’t certify your account via the link provided? Smish! UFIT has tracked significant growth in social engineering attempts like this in the past year. Social engineering attempts range from fake bank texts and “extended warranty” phone calls to emails pretending to be from UF professors offering $350 per week jobs. Having a large community on one network is extremely attractive for cyber-scammers. So, helping all Gators better understand which communications are legitimate and which are fraudulent keeps all us safer from attacks.

It only takes one click on a malicious link to cause a world of hurt. Learn to recognize social engineering tactics and help secure UF! If you are unsure whether an email or text purporting to be from UF is legitimate, you can always ask the UFIT Help Desk for assistance.