Security Article

Don't Get Phished:

Protect Yourself and Stop Identity Theft

QUICK TIPS –

  • Think before you click: Scrutinize links and files contained in emails and/or website address bars, e.g. hover your mouse over a link in an email to identify the source. (More details below.)
  • Secure your devices: If you have your own personal device, or if you would like to safeguard your home devices, make sure your anti-virus (e.g. Microsoft Defender ATP) and operating system programs are up-to-date.
  • Back up your data: UM provides FREE cloud storage to all UM faculty, staff, and students via BoxGoogle Drive, and Microsoft OneDrive.

 

Phishing (pronounced "fishing") is a form of fraud, in which an attacker tries to learn private information (such as login credentials) by masquerading as a reputable entity or person (usually via email).

The following is an actual phishing email that was sent within our UM community:

If you recognized this email as spam/phishing and immediately deleted it, thank you for being vigilant. If you opened the message and clicked on the link, please be aware that attackers often include links in emails to lure you to fraudulent websites where they can collect your login credentials and/or malicious software can be downloaded to your device(s).

To investigate where a link will take you, hover over the link with your mouse pointer (as seen in the screen shot below). If the URL appears to be from outside the University or does not match the link, then it is most likely a phishing email.

Criminals have access to tools that replicate legitimate company sites. In this case, the UM Single Sign-On webpage was replicated. A key indication of whether a site is real or not is the URL. Take a look at the phishing attack URL in the address bar below (the real UM Single Sign-On page will display as https://caneid.miami.edu/, https://caneidhelp.miami.edu/caneid/, or https://auth.miami.edu/):

Phishing is an ongoing challenge for the University of Miami and many other institutions and businesses around the world. To learn more about phishing and learn how keep your identity safe, please download UMIT's Phishing 101: How to Spot a Phishing Attempt and Phishing 101: Tips to Protect Yourself documents.

If you suspect a message to be a phishing attempt, you can quickly report it using Outlook's "Report Message" feature. If you are not using Outlook or the feature is not available, you can forward the phishing email (as an attachment) to phish@miami.edu.

If you are victim of phishing, e.g., you clicked a link and/or downloaded an attachment from a suspicious source, please contact the UMIT Service Desk at: (305) 284-6565 or help@miami.edu, as well as the Information Security Office (ISO) at: infosec@miami.edu.


How to Protect Yourself Against Phishing Attempts:

Phishing scams are among the most prevalent forms of cybercrime. Although phishing is widespread, it is beatable; The best way to combat scams is to learn what phishing looks like and how to protect yourself.

  1. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Pictured below, you'll an example of an actual phishing email UM employees have received. In the screenshot, it appears that "Sebastian the Ibis" sent the email from an authentic UM email address (sebastian@miami.edu), but when you hover the mouse over the embedded link, it is clear that the link is fraudulent.



  2. Often a phishing website will look identical to the original – look at the address bar to make sure you are accessing the correct website. Criminals have access to tools that replicate legitimate company sites. For example, the UM Single Sign-On webpage was replicated in a phishing scam. Take a look at the phishing attack URL in the address bar below (the real UM Single Sign-On page will display as https://caneid.miami.edu/, https://caneidhelp.miami.edu/caneid/, or https://auth.miami.edu/):

  3. Be wary of emails, phone calls, and/or text messages asking for confidential information - especially information of a financial nature. The University of Miami will never request sensitive information via email, and most banks in the US will tell you that they won't ask for your information unless you're the one contacting them. Pictured below, you'll see an example of a phishing attempt via text message. In the screenshot, it appears that "WellsFargo" sent a text message regarding an account error; however, when you review the link you'll see that it is not from the bank's official website, so it is clear that the link is fraudulent.



  4. Don't get pressured into providing sensitive information. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.

  5. Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with "Dear Sir/Madam," and some come from a bank with which you don't even have an account.

  6. Never open email attachments or submit confidential information via forms embedded within suspicious email messages. Senders are often able to track all information entered.


Resources:

Top