What is phishing?
Phishing is a form of attack that depends on tricking or fooling a victim into doing what the attacker wants. The attack begins with the attacker sending a message to the victim. It is this technique of using a message as bait to lure the victim that gives the attack its name.
The attack is a success if the victim reacts to the message. For instance, the victim may click a link or open an attachment that triggers some kind of threat. Or the victim could respond to the message, starting communication between the attacker and victim.
In the case of communication between attacker and victim, the attacker will attempt to manipulate the victim using social norms and expectations to convince them to do what they want. Some examples are when an attacker:
- Asks the victim to do a quick errand that they haven’t time to get to
- Calls on behalf of a horrible boss, relying on the victim to help so that the attacker doesn’t get in trouble
- Contacts the victim to update their account information for security purposes
Types of phishing
The most common types of phishing are:
- Phishing refers to email messages>
- Smishing refers to text messages (SMS) and takes advantage of the fact that it is difficult to validate messages and web links in text messages.
- Vishing is bait left on someone’s voicemail.
Spear phishing, which can happen via email, text or voicemail, is where the attacker researches their specific victim and crafts a personalized message just for them. The large wealth of information available on the Internet makes it possible for attackers to craft spear phishing messages for just about any victim. For example, an attacker will impersonate the victim’s boss to encourage the victim to respond.
Why is phishing a problem for individuals and organizations?
- Prevalence: More than 90% of compromised accounts or hacks start with a phishing attack.
- Speed: More than 60% of victims of a phishing attack “bite” in the first hour, so it is difficult for organizations to react in time to stop the attack.
- Cost: Business email compromise cost organizations $1.77 billion USD in 2019, along with recovery operations and reputational damage.
- Impact: Individuals suffer from phishing, both through workplace shame and cleanup effort, and personal repercussions like identity theft and credit rating damage.
The image below shows some of the common signs that a message could be a phishing attempt.
What should I do?
If you think you have received a phishing message:
- Do not respond
- Forward the message to email@example.com
- Delete it
If you clicked on a link or opened an attachment:
- Don't panic.
- Contact the IT Service Desk at 519-253-3000 ext. 4440.
- Change your UWin Account password by going to the University of Windsor website and click on "Manage UWin Account" in the footer at the bottom of the page and then select "Change Your Password.“
Where can I find more information?
We're here to help!
IT Services is happy to answer questions about cybersecurity on campus: ext. 4440 or open a ticket for service here: uwindsor.ca/itshelp. More information on cybersecurity issues facing campus: uwindsor.ca/cybersecurity