Falling for a Phish Can Lead to an MFA Bombing Attack

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

Cyber Bowl 2022: Beat FSU!

For Cyber Security Awareness Month, Florida State University’s Information Technology Services (FSU-ITS) challenged UF to a Cyber Bowl, an online game played on the virtual playing field. The Cyber Bowl will be live from October 3 – 14. It’s set up like a football game with four quarters. Each “quarter” contains one question related to social engineering. So…how do the Gators win?

The university who can get the most students, faculty, and staff game players wins. To register your entry in the game, all that’s needed is a valid UFL.EDU email address. The Florida State community is answering the same questions that UF is. And just for playing the Cyber Bowl, you could win a pair of tickets to the Florida-Florida State game on November 25! UFIT will randomly select one student and one faculty/staff member from all game entries to win the tickets. You don’t have to answer the questions correctly for a chance to win. Just complete the entry screen after the questions. And hey, learning more about social engineering is a “win” for you and for your university.

To play, visit https://cyberbowl.security.ufl.edu/ anytime between October 3 – 14, answer the questions, and help us beat the ‘Noles! That’s always a good thing, whether we’re playing FSU in a virtual location or a physical one. Thanks for participating in the Cyber Bowl and…GO GATORS!

Cybercrime Spikes at Start of Semester

Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)

In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.

In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.

Have a great semester and GO GATORS!

Identifying Deepfake Videos

Misleading content online becomes more sophisticated with each technology advancement. One type of “fake news” becoming more prominent across all social channels is the deepfake, a video that’s been modified to make the subject appear to be doing or saying something they did not.

Deepfake videos are made to fool viewers for a variety of reasons including political agendas, financial gain, to embarrass someone or a group, or to use for blackmail. Public figures can be made to say things they never said, inciting viewers or followers to think a certain way and take action based on misinformation. A viral deepfake video supposedly of Tom Cruise has more than a million views. Here’s a breakdown by the video’s creator on how he utilized AI to construct the video: DeepTomCruise TikTok Breakdown.

It is possible to identify some deepfake videos by noticing changes in skin tone, jerky facial movements, or lip movements that do not match dialogue. But as the technology improves these clues could become even harder to spot. If you have concerns about the authenticity of a video purporting to be from UF, please contact the department posting the video or send your concern to the UFIT Help Desk.

Enter Phishle Contest to Win Gift Card

The UF Information Security Office’s annual summer contest is open June 1 – 30, 2022. This year, all you have to do is play Phishle — UFIT’s information security take on the popular game “Worldle®” — to qualify for weekly gift card drawings.

Never played Phishle? Like Wordle®, Phishle is a word game. But Phishle focuses on players learning about social engineering terms such as phishing, smishing, vishing, and tailgating while solving the daily word puzzle. Phishle launched in Spring 2022 by Spencer Fasulo, a freshman computer science major who interns with the Information Security Office (ISO). Before entering the Phishle contest, check out the ISO’s great new social engineering webpage. You’ll learn what to watch out for and be better equipped to complete the daily Phishle game and win a gift card!

Phishle players get an entry for each 10 words they find. After achieving 10 correct words, fill out the form provided with your contact information. Two gift cards will be awarded each week, with winners announced on UFIT’s Twitter and Instagram accounts. Gift cards will need to be picked up in the 720 Building by local winners. Winners residing outside of Alachua County will receive their gift cards via US Mail.

Social Engineering Pages Added to Website

UFIT recently added new pages to https://security.ufl.edu/ that educate about social engineering scams. The university community is a huge target for social engineering attacks–attacks that include phishing and smishing. By reviewing the social engineering webpages, Gators can learn the difference between everyday communications and an actual social engineering attack.

https://security.ufl.edu/resources/protect-my/socialengineering/

Received a text recently saying your UF email account will be suspended if you don’t certify your account via the link provided? Smish! UFIT has tracked significant growth in social engineering attempts like this in the past year. Social engineering attempts range from fake bank texts and “extended warranty” phone calls to emails pretending to be from UF professors offering $350 per week jobs. Having a large community on one network is extremely attractive for cyber-scammers. So, helping all Gators better understand which communications are legitimate and which are fraudulent keeps all us safer from attacks.

It only takes one click on a malicious link to cause a world of hurt. Learn to recognize social engineering tactics and help secure UF! If you are unsure whether an email or text purporting to be from UF is legitimate, you can always ask the UFIT Help Desk for assistance.

Threat to Suspend Your Social Security Number is a SCAM

Con artists pretending to be with the Social Security Administration (SSA) are utilizing email, text messages, and phone calls to scare people into providing money and/or personal information. Remember: The SSA will never threaten, scare, or pressure you to take an immediate action.

It is a SCAM if someone…
● Warns of imminent arrest or legal action
● Requests payment by gift card, prepaid debit card, internet currency, or mailing cash
● Pressures you for personal information
● Requests secrecy
● Threatens to seize your bank account
● Promises to increase your Social Security benefit
● Says they have evidence against you, or uses the name of a real SSA official

How to protect yourself from Social Security-related scams:
1. Stay calm. Do not provide money or personal information when you feel pressured, threatened, or scared.
2. Hang up on the caller or ignore the text or email.
3. Report Social Security-related scams. If you receive a suspicious call, text, or email that mentions Social Security, report it to the SSA Office of the Inspector General (OIG). Do not be embarrassed if you shared personal information or suffered a financial loss.

UF’s Information Security Office has an Identity Thefts and Scams webpage where you can learn more about the techniques used by cyber criminals.

Safe Travel is Smart Travel: Cyber Vigilance

As flights and hotel bookings surge past pre-pandemic levels, travelers should prepare for a busy holiday season. Crowded airports can be an early holiday gift for identity thieves. Don’t let the chaos of the airport allow you to let your guard down. Gators, remember while traveling over the break period to:

Avoid public Wi-Fi. If you must use free Wi-Fi in airports, cafes, or in hotels, use a VPN to connect. Also, double-check the network’s name (SSID) before connecting. You could unknowingly connect to a spoofed network or someone else’s hotspot, which means what you type could be seen and copied by others.

Beware of vacation rental scams. While perusing Airbnb or Craigslist for a rental, be alert to an offer that’s too good to pass up. Before booking an accommodation online, research the address, owner’s name, and if the property reviews go back more than a few weeks. Check for multiple ways to contact the owner.

Disable auto-connect features. Most phones enable automatic connections for Wi-Fi, Bluetooth, and location services. These features allow others to track your location or send malicious files to your device. Keep these settings disabled when you are not using them!

Visit https://security.ufl.edu/resources/traveling-abroad/ for more cyber tips for travelers.

How To Shop Securely During Black Friday & Cyber Monday

‘Tis the season for online shopping. Unfortunately, it’s also the season for holiday scams. With Black Friday and Cyber Monday deals right around the corner, it’s important to know what to look for when shopping for the perfect gift. Here are some tips so you don’t get Scrooged:

Pay with a secure method. Using a credit card provides extra protection for online purchases. Under the Fair Credit Billing Act (FCBA), credit card holders are allowed to dispute fraudulent charges, whereas with a debit card, the money comes directly out of a checking account. Remember to check your bank statements regularly for any unauthorized payments.

Research the seller. Before checking out, verify that the business is legitimate. Search the company’s name online, plus “scam,” to read what others are saying. If you’re unsure, check with the state attorney general or the local consumer protection agency to see if there are any filed complaints.

Don’t fall for fake ads. Fake advertisements lurk on legitimate platforms, including email, social media, and search engines. Think twice before clicking on ads. Go directly to the business’s website to verify that the offer is real.

For more cybersecurity tips, visit https://security.ufl.edu/.

The Cost of Phishing: Money, Time, Personal Files

“I should have recognized the red flags. I thought it was easy to avoid phishing emails, but I was wrong. I should have taken the email more seriously, and I had to try to get my account back and missed a test. Thankfully, that’s the only thing I missed.”

When it comes to phishing, it’s possible to lose everything in one click, but you’ll never understand the consequences until it happens to you. In UFIT’s video, three students share real stories from victims of cybercrime.

These examples show what could happen after falling for a phish, from locking you out of your computer to rerouting financial aid money to a cybercriminal’s bank account. But the impacts aren’t limited to one person. One incident is all it takes to shut down UF systems or expose student records, research data, and patient information. With so much at stake, it’s important for everyone at UF to remain skeptical of what arrives in their inbox.

The UF Information Security Office has more information about phishing on its website. You can also participate in the Secure the Swamp! online scavenger hunt from October 25-29 to sharpen your cybersecurity skills.