Improving Technologies Make Impersonation Scams More Effective

Most of us have received phishing emails in our inbox and smishing messages on our phones impersonating people or companies we trust. According to the US Federal Trade Commission (FTC), consumers lost $1.1 billion to these types of social engineering scams in 2023. That is three times more than in 2020, with strong growth expected now that artificial intelligence (AI) technologies can be used to make phishing communications more convincing. 

We have often been able to spot these impersonations by noticing non-standard language in sentences, grammatical errors, or messages that don’t seem to apply to the situation. But as AI tools improve, scammers can use them to rapidly create very convincing messages that lack the tell-tale signs we’ve become accustomed to spotting. It is even possible to use so called deepfake tools to create convincing audio and video of someone speaking – using only short clips of the real person speaking.  

Here are other clues to help identify impersonation scams:  

  • Verify the source. Check the email address the email was sent from, and if a suspicious email comes in to your GatorMail email, double-check whether the message is flagged in red as [External Email]. On your phone, smishing messages often appear to come from an email address rather than a phone number. 
  • Check with the sender. Impersonation scams often want to give you the impression that the real person being impersonated is not available, which is why they need you to quickly take some action for them. But it doesn’t hurt to give the real person a call or send a message to verify, because if they answer, it was probably a scam! Do not hit ‘reply’ or ‘redial.’ Instead, look up the person in your contacts or find a reliable contact for companies independently (such as calling the phone number on the back of your credit card if you get a text purportedly coming for your bank) 
  • It’s a good idea to agree on a way to authenticate communications with people ahead of time, such as by creating a ‘code word’ that family members can use if they are really in trouble.  

If you find yourself the recipient of an impersonation scam, you should report the fraud to the FTC. This helps federal investigators stop scammers before they can reach more people. 

For more information on impersonation scams, visit https://security.ufl.edu/learn-security/.

Spear Phishing on the Rise

A more personalized, sophisticated, and invasive form of phishing is on the rise: Spear phishing. Spear phishing is a social engineering tactic used to steal sensitive information from a specific person or group by tailoring the message. For example, an attacker could pretend to be an IT staff member from your college to trick you into revealing your GatorLink credentials.   

While regular phishing attempts try to scam as many people as possible through generally deceptive language, the personalization of spear phishing attacks makes them more effective and more dangerous. Barracuda‘s 2023 Phishing Trends Report found that spear phishing emails make up less than 0.1% of all emails sent yet cause 66% of all breaches.

There are several signs to look for if you think you have received a spear phishing email in your GatorMail. Is the email address domain from a legitimate organization? If the email appears to have come from a UF email address, utilize the UF directory to confirm the sender’s contact information. Also, hover your cursor over any links in the email and review the URL before clicking on it. Be wary of overly friendly language or strange use of slang, imperfect sayings or misuse of English. Cybercriminals frequently use language that indicates urgency (like “ASAP” or “URGENT!”) in spear phishing attempts.

If you get a spear phishing message in your GatorMail, immediately send it to the Information Security Office using the phish alert button. If you’ve fallen victim to a spear phishing message and unwittingly provided your UF username and password (i.e., your GatorLink credentials) to a scammer, then contact the UFIT Help Desk at once (352-392-HELP/4357). When you report that your account has been compromised, staff will help you change your password and do everything they can to minimize the impacts of the account compromise.

The Personal Cost of a Cyberattack

The digitalization of our lives leaves us vulnerable to malicious attempts from cybercriminals to steal, expose, or destroy our personal and sensitive information through cyberattacks. As new technologies evolve, so do the tactics used to target individuals, including ransomware, credential theft, and more sophisticated social engineering scams. These attacks are increasing worldwide, with Check Point Research revealing a 38% global increase from 2021 to 2022 — affecting an average of one in three Americans.

So, what could a cyberattack cost you? Research from the Centre for Counter Fraud Studies found victims of cybercrime experience psychological impacts, such as anxiety, anger, and embarrassment, even if the attack didn’t result in monetary loss. A compromised account or hacked device can quickly escalate from an inconvenience to a financial stressor. Phishing, the top reported cybercrime to the FBI in 2022, cost victims an average of $173 per attack. UFIT’s Secure the Swamp video highlights the experiences of three UF students who fell victim to phishing attacks, with one attack resulting in their financial aid being stolen.

A common theme amongst malware and phishing attempts is malicious links and the attacker’s use of personally identifiable information that tricks you into giving your password. You can use GatorMail’s URL decoder to make sure the site you plan to visit is safe. And remember: No one from UF will ever ask you for your GatorLink password!

A cyberattack can disrupt your life with serious repercussions. The best way to protect yourself from a cyberattack is to be informed and practice safe cyber routines. View UFIT’s resources on the best practices to help protect yourself from malicious cyber activity.