Phishing – University of Florida Information Technology News

Updated Info Security Training for 2023

Posted on July 13, 2023July 16, 2023 by tgale@ufl.edu

Just in time for the new academic year! UF’s Information Security Office has updated its mandatory annual training. Faculty and staff will receive an email reminder on their one-year anniversary of their previous training completion date, but can take the training any time. There are six modules in the training and they take approximately 35-45 minutes to complete. Visit this page to take the training.

The number one cause for compromised GatorLink accounts is when a student, faculty, or staff member opens and responds to a phishing email.

Students can take the phishing module that’s part of the full training. The stand-alone phishing module is a great way to become better informed about how cyber-criminals operate. Now that you’ll be interacting with campus departments and faculty (who cyber-criminals will try to impersonate), students are strongly encouraged to learn how phishing works. Students can find the link to the phishing module training in the ONE.UF menu. The 15-20 minutes you invest in taking the phishing training can pay off in a big way when you learn how to spot and report malicious emails, instead of opening one and inadvertently bringing on a world of hurt on yourself…and potentially your university.

Increasing in Higher Ed: Malware Attacks

Posted on June 12, 2023 by tgale@ufl.edu

Malware attacks against higher education increased by 26% last year. With a reported 191+ million malware attacks in 2022 in the state of Florida alone, cyber-awareness is as important on college campuses as writing skills and advanced math knowledge. Cybercriminals frequently target universities through malware attacks to steal sensitive and restricted data, such as student and employee social security numbers, protected health information, and credit card information. Malware is malicious software or code that steals, encrypts, and/or deletes sensitive information after being introduced to a device through phishing emails, compromised flash drives, fraudulent websites, and peer-2-peer file sharing sites. According to SonicWall, the 10 most common malware file names are:

1. purchase order.exe
2. soa.exe
3. invoice.exe
4. swift copy.exe
5. quotation.exe
6. img-order-confirmation-pdf.exe
7. payment copy.exe
8. ziraat bankasi swift mesaji.exe
9. shipping documents.exe
10. new order.exe

If you receive what you think is a suspicious email or an email with one of these .exe files attached, do NOT open, reply, or click any embedded links or files. Report suspicious emails received in your GatorMail inbox using the phish alert button. Faculty, students, and staff can become better cyber equipped by taking the free training available through the UF Information Security Office.

Safely Use Virtual Payment Apps

Posted on May 4, 2023 by tgale@ufl.edu

Scammers use peer-to-peer (P2P) payment apps like Cash App, Zelle, and Venmo to steal money. According to the Pew Research Center, 10% of P2P app users have been scammed. P2P apps allow users to easily send money with a phone tap. But if it’s convenient for you, it’s also convenient for scammers.

Vishing or smishing is often used to initiate P2P scams. For example, a scammer may impersonate a bank representative in a call or text to a victim about a “suspicious transaction” on their Zelle account. The scammer will request the victim’s bank login information to resolve the concern but will use the information to steal money. A bank representative will never ask for your username and password to access your account. Stay cyber-secure by only sending money to people you know, and double-checking you are sending money to the correct name, phone number, and username. Also, you should only use a credit card for transactions with strangers, because credit cards have fraud protection. And Gators, make sure to allow app updates (or install them when they become available on your device) for the latest security enhancements, like multi-factor authentication updates and app safety features.

Learn to protect yourself online by becoming more cyber-aware. Schedule a ½ hour to take the https://security.ufl.edu/resources/training/information-security-training/ today.

Enter Phishle Contest to Win Gift Card

Posted on May 30, 2022October 2, 2022 by tgale@ufl.edu

The UF Information Security Office’s annual summer contest is open June 1 – 30, 2022. This year, all you have to do is play Phishle — UFIT’s information security take on the popular game “Worldle®” — to qualify for weekly gift card drawings.

Never played Phishle? Like Wordle®, Phishle is a word game. But Phishle focuses on players learning about social engineering terms such as phishing, smishing, vishing, and tailgating while solving the daily word puzzle. Phishle launched in Spring 2022 by Spencer Fasulo, a freshman computer science major who interns with the Information Security Office (ISO). Before entering the Phishle contest, check out the ISO’s great new social engineering webpage. You’ll learn what to watch out for and be better equipped to complete the daily Phishle game and win a gift card!

Phishle players get an entry for each 10 words they find. After achieving 10 correct words, fill out the form provided with your contact information. Two gift cards will be awarded each week, with winners announced on UFIT’s Twitter and Instagram accounts. Gift cards will need to be picked up in the 720 Building by local winners. Winners residing outside of Alachua County will receive their gift cards via US Mail.

Understanding Social Engineering

Posted on January 31, 2022January 31, 2022 by tgale@ufl.edu

Social engineering is the term for exploiting human psychology, rather than traditional hacking techniques, to gain access to buildings, systems, devices, or data. For example, a social engineer might call a UF phone number and pose as an IT support person, trying to trick the employee into divulging passwords. David Maurer in The Big Con writes of 1940s confidence [con] men and how they gained the trust of victims. It’s the same in the 2020s: social engineers want to seem believable whether by email, phone call, text, or in person–they gain the victim’s trust to get what they want. Two types of social engineering techniques are employment scams and tailgaiting:

1. Employment scams are plentiful, and many, if not most, students have received an email advertising a 10 hour per week campus job earning $350 per week. Think twice before clicking on the links in an email advertising a job you didn’t inquire about.
2. Tailgating is when someone enlists your help to gain unauthorized building access. An example is when a person with an armful of packages asks you to open the door with your UFID card since they can’t reach theirs. You naturally want to be helpful, but someone now has access they shouldn’t.

UFIT is launching an updated social engineering webpage this spring. In the meantime, if you suspect an email you receive in your GatorMail may be phishing, report it to abuse@ufl.edu. And remember, Gators…be aware of who you are letting access UF residence halls, academic buildings, and other secure campus spaces.

Threat to Suspend Your Social Security Number is a SCAM

Posted on December 9, 2021October 2, 2022 by tgale@ufl.edu

Con artists pretending to be with the Social Security Administration (SSA) are utilizing email, text messages, and phone calls to scare people into providing money and/or personal information. Remember: The SSA will never threaten, scare, or pressure you to take an immediate action.

It is a SCAM if someone…
● Warns of imminent arrest or legal action
● Requests payment by gift card, prepaid debit card, internet currency, or mailing cash
● Pressures you for personal information
● Requests secrecy
● Threatens to seize your bank account
● Promises to increase your Social Security benefit
● Says they have evidence against you, or uses the name of a real SSA official

How to protect yourself from Social Security-related scams:
1. Stay calm. Do not provide money or personal information when you feel pressured, threatened, or scared.
2. Hang up on the caller or ignore the text or email.
3. Report Social Security-related scams. If you receive a suspicious call, text, or email that mentions Social Security, report it to the SSA Office of the Inspector General (OIG). Do not be embarrassed if you shared personal information or suffered a financial loss.

UF’s Information Security Office has an Identity Thefts and Scams webpage where you can learn more about the techniques used by cyber criminals.

The Cost of Phishing: Money, Time, Personal Files

Posted on October 25, 2021October 25, 2021 by l.gamble-at@mail.ufl.edu

“I should have recognized the red flags. I thought it was easy to avoid phishing emails, but I was wrong. I should have taken the email more seriously, and I had to try to get my account back and missed a test. Thankfully, that’s the only thing I missed.”

When it comes to phishing, it’s possible to lose everything in one click, but you’ll never understand the consequences until it happens to you. In UFIT’s video, three students share real stories from victims of cybercrime.

These examples show what could happen after falling for a phish, from locking you out of your computer to rerouting financial aid money to a cybercriminal’s bank account. But the impacts aren’t limited to one person. One incident is all it takes to shut down UF systems or expose student records, research data, and patient information. With so much at stake, it’s important for everyone at UF to remain skeptical of what arrives in their inbox.

The UF Information Security Office has more information about phishing on its website. You can also participate in the Secure the Swamp! online scavenger hunt from October 25-29 to sharpen your cybersecurity skills.

Secure the Swamp Online Scavenger Hunt

Posted on September 30, 2021October 2, 2022 by l.gamble-at@mail.ufl.edu

October 2021 marks the 18th year of Cybersecurity Awareness Month. With the increasing threat of cyberattacks to universities around the world, information security is more timely than ever. UF participates in the initiative every year to empower students, faculty, and staff to own their role in protecting themselves and the university.

This year’s campaign is centered on a “Secure the Swamp!” online scavenger hunt. Each week in October, UFIT will share tips on social media focusing on three themes: phishing, securing your remote work environment, and mobile device security. Students and employees can then test their cybersecurity knowledge by answering four questions on these topics. The hunt begins on Monday, October 25, at 8 a.m. and ends Friday, October 29, at 5 p.m. Participants will have the opportunity to win an exclusive “Secure the Swamp!” T-shirt.

Remember, the UF Information Security Office can’t protect UF by itself. It’s our shared responsibility to keep the university’s data and systems secure. Visit https://security.ufl.edu/ to participate in the scavenger hunt and find more resources. Also, follow UFIT on Twitter (@GoGatorsUFIT), Facebook (@GoGators.UFIT), Instagram (@gogators_ufit), and YouTube (/GoGatorsUFIT) for some clues!

Fake Emails from “UF Faculty” Targeting Students

Posted on July 12, 2021October 2, 2022 by l.gamble-at@mail.ufl.edu

Students are reporting suspicious emails in their Gmail or other non-UF inboxes, claiming to be from instructors. These phishing scams enable cybercriminals posing as faculty to convince students to deposit fake checks or send gift cards. Because students often handle email on their phones–where full email addresses are obscured–it isn’t immediately apparent that the email is a phish.

Impostor emails attempt to lure students with high-paying job opportunities and often come from faculty members the student doesn’t know. Cybercriminals can find enough information online to impersonate faculty without having to hack into their UF account. The proliferation of these scams is a great reminder to always be cautious when clicking on any email, no matter who they seem to come from.

Remember:
1. Even if a phishing email doesn’t include a malicious link or attachment, it’s still just as dangerous if you respond.
2. The [External Email] tag will appear in the body of emails originating from outside the university, alerting you that it may well be malicious.

If you think an email in your Gmail or non-UF inbox is a phish, forward the message as an attachment to abuse@ufl.edu.