Coming to campus? Visit this page for important information.
Phishing icon and employee at computer

Don’t Take the Bait

Phishing

What is phishing?

Phishing is a form of attack that depends on tricking or fooling a victim into doing what the attacker wants. The attack begins with the attacker sending a message to the victim. It is this technique of using a message as bait to lure the victim that gives the attack its name.

The attack is a success if the victim reacts to the message. For instance, the victim may click a link or open an attachment that triggers some kind of threat. Other examples, the victim could respond to the message, starting a communication between the attacker and victim, or they could simply stay on the phone and speak with the caller.

In the case of communication between attacker and victim, the attacker will attempt to manipulate the victim using social norms and expectations to convince them to do what they want. Some examples are when an attacker:

  • Asks the victim to do a quick errand that they haven’t time to get to
  • Calls on behalf of their horrible boss, relying on the victim to help so that the attacker doesn’t get in trouble
  • Informs the victim about a (fake) issue with their account and offers to help fix it.
Did you know that 93% of successful cyberattacks begin with a phishing scam?

Types of phishing

The most common types of phishing are:

  • Phishing refers to email messages
  • Smishing refers to text messages (SMS) and takes advantage of the fact that it is difficult to validate messages and web links in text messages.
  • Vishing is bait left on someone’s voicemail.

Spear phishing, which can happen via email, text or voicemail, is where the attacker researches their specific victim and crafts a personalized message just for them. The large wealth of information available on the Internet makes it possible for attackers to craft spear phishing messages for just about any victim. For example, an attacker will impersonate the victim’s boss to encourage the victim to respond.

Tech support scam, which typically starts with a phone call or a live chat message, is a scam where an attacker offers to help solve a problem with your account or computer by doing a remote support session with you. This gives the attacker access to your computer so that they can then access your bank or encrypt the computer with ransomware.

Why is phishing a problem for individuals and organizations?

  • Prevalence: More than 90% of compromised accounts or hacks start with a phishing attack.
  • Speed: More than 60% of victims of a phishing attack “bite” in the first hour, so it is difficult for organizations to react in time to stop the attack.
  • Cost: Business email compromise cost organizations $4.1 billion USD in 2020 (up from $1.77 billion in 2019) along with recovery operations and reputational damage.
  • Impact: Individuals suffer from phishing, both through workplace shame and cleanup effort, and personal repercussions like identity theft and credit rating damage.

Recognizing Phishing - Unusual Requests

Question mark inside circle graphic illustrationTest Your Instincts

Scenario (Unusual Requests):  

A co-worker sends an email asking you to send them a staff list because the boss is away.

Questions you might ask yourself before sending the list: 

  • Why did they ask you? 
  • Why would your co-worker need you, couldn’t they look it up themselves? 
  • Is the co-worker from your department? 
  • Are you even authorized to send the list? 

An attacker could be impersonating your co-worker, trying to trick you into sending them information that they can use to target others in your department. Even if the request is legitimate, are you the person that should be sending the information? Perhaps you could direct them to the departmental administrator or human resources instead. 

Recommended Response

"Sorry, I don’t think I have an up-to-date list."

Be a "Human Firewall"

A human firewall is someone who thinks about the cybersecurity implications of a situation and takes appropriate action to safeguard accounts, information and research, and computing resources. It’s the digital equivalent of looking both ways before crossing the street. A human firewall pauses to stop, think, then clicks only if appropriate.

Many users have a false sense of security, believing that technology solutions such as passwords, anti-virus, and network firewalls protect them from the evils of the Internet. Technology cannot protect against everything, so online users also need to be human firewalls.

An attacker could be impersonating your co-worker, trying to trick you into sending them information that they can use to target others in your department. Even if the request is legitimate, are you the person that should be sending the information? Perhaps you could direct them to the departmental administrator or human resources instead. 

Recommended Response

"Sorry, I don’t think I have an up-to-date list."

Be a "Human Firewall"

A human firewall is someone who thinks about the cybersecurity implications of a situation and takes appropriate action to safeguard accounts, information and research, and computing resources. It’s the digital equivalent of looking both ways before crossing the street. A human firewall pauses to stop, think, then clicks only if appropriate.

Many users have a false sense of security, believing that technology solutions such as passwords, anti-virus, and network firewalls protect them from the evils of the Internet. Technology cannot protect against everything, so online users also need to be human firewalls.

Recognizing Phishing - Unexpected Support

Question mark inside circle graphic illustrationTest Your Instincts

Scenario (Unexpected Support):

You receive a call from your bank or credit card company to inform you about a fraudulent transaction detected from your computer. They’d like to do a remote computer session with you to solve the problem. 

Questions you might ask yourself before allowing access to your computer:
  • Is this how I told my bank to contact me for fraudulent transactions?
  • Can the caller provide specific details about the account and transaction in question?
  • Could they be after something else by gaining access to my computer?

This is an example of a phishing trend. Criminals are taking advantage of the banks that offer account alerts and use it to start a conversation and build initial rapport. They are trying to access to your computer so they can compromise it with spyware or ransomware. Contact your bank or credit card company directly yourself using your usual method.

Recommended Response

End the call, nobody has time to be hacked.

Be a "Human Firewall"

A human firewall is someone who thinks about the cybersecurity implications of a situation and takes appropriate action to safeguard accounts, information and research, and computing resources. It’s the digital equivalent of looking both ways before crossing the street. A human firewall pauses to stop, think, then clicks only if appropriate.

Many users have a false sense of security, believing that technology solutions such as passwords, anti-virus, and network firewalls protect them from the evils of the Internet. Technology cannot protect against everything, so online users also need to be human firewalls.

This is an example of a phishing trend. Criminals are taking advantage of the banks that offer account alerts and use it to start a conversation and build initial rapport. They are trying to access to your computer so they can compromise it with spyware or ransomware. Contact your bank or credit card company directly yourself using your usual method.

Recommended Response

End the call, nobody has time to be hacked.

Be a "Human Firewall"

A human firewall is someone who thinks about the cybersecurity implications of a situation and takes appropriate action to safeguard accounts, information and research, and computing resources. It’s the digital equivalent of looking both ways before crossing the street. A human firewall pauses to stop, think, then clicks only if appropriate.

Many users have a false sense of security, believing that technology solutions such as passwords, anti-virus, and network firewalls protect them from the evils of the Internet. Technology cannot protect against everything, so online users also need to be human firewalls.

Recognizing phishing

The image below shows some of the common signs that a message could be a phishing attempt.

(source: https://cyberwarzone.com/detect-phishing-emails/)

What should I do?

If you think you have received a phishing message:

  • Do not respond
  • Forward the message to spam@uwindsor.ca
  • Delete it

If you clicked on a link or opened an attachment:

  1. Don't panic.
  2. Contact the IT Service Desk at 519-253-3000 ext. 4440.
  3. Change your UWin Account password by going to the University of Windsor website and click on "Manage UWin Account" in the footer at the bottom of the page and then select "Change Your Password.“

Recognizing a tech support scam

There are 3 keys to recognizing a tech support scam:

  1. An unsolicited call from an unknown person
  2. Informs you that your account, subscription or device is affected
  3. Wants to connect to your device to help you resolve the issue

(source: https://community.teamviewer.com/English/kb/articles/4715-teamviewer-and-scamming)

If all three of these elements are present, it’s probably a scam. Hang up and contact the company directly via the normal channels you use.

Where can I find more information?

You can view a longer version of this article that includes examples of phishing.

We're here to help!

IT Services is happy to answer questions about cybersecurity on campus: ext. 4440 or open a ticket for service here: uwindsor.ca/itshelp. More information on cybersecurity issues facing campus: uwindsor.ca/cybersecurity

You can download a printable PDF of this page.You can download a poster size version of this page.