Phishing & Social Engineering
Phishing
What is Phishing?
Phishing is when criminals try to trick you into giving out confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.) by impersonating a legitimate organization, offering a chance to win a prize if you register, etc. Phishing attacks happen by email, phone, online ad and text message.
Phishing messages may appear to be from organizations you do business with (e.g., banks, software companies, healthcare, etc.) or work for. They might threaten to close your account or take other action if you don’t respond. The senders of these messages are criminals phishing for your valuable personal information to commit fraud.
Legitimate organizations, including KU, will never ask you to provide sensitive personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call.
Phishing Examples
Criminals are thinking up new phishing attacks all the time. These are just a few examples of common phishing messages:
- "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
- “You have won a free $500 Walmart gift card. Click here to collect your card.”
- “Test the new iPad and keep it when you’re finished. Just use the iPad and tell us what you think. Call us to become part of this exclusive test.”
Social Engineering
What is Social Engineering?
Social engineering is when criminals attempt to trick people into revealing confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.), or trick them into clicking links that lead to malicious websites. Social engineering can occur by email, web, phone, or in-person. Social engineering is the most commonly used attack by criminals to gain access to confidential personal information. Phishing is the most common type of social engineering attack.
Common Traits of Social Engineering Attacks:
- Request sensitive personal information (e.g., password, Social Security Number, bank account, etc.)
- Have a sense of urgency (e.g., threaten to shut off service, lose money or access, etc.)
- Appeal to authority (e.g., appear to be from KU, your bank, a legitimate organization, etc.).
Social engineering exploits the willingness of people to provide information when asked politely and in a reasonable manner.
Types of Social Engineering
Here a just a few of the common social engineering strategies criminals use to try and gain access to valuable information:
- Phishing – Recreating websites and/or login pages that capture confidential personal information (username, passwords, etc.). and directing users there via email, text, online ad or phone.
- Spear Phishing – Targeted phishing attempts that focus on a specific high-value individual or group.
- Scareware - A scary pop-up message attempts to get you to enter confidential personal information to fix a virus/infection on your computer. To create a heightened sense of urgency, these malicious messages often include noises.
- Vishing – Phishing over the phone, tricking people into calling a number and providing confidential information.
- Baiting – Using an item to lure in a victim (e.g., free devices, music, movies, etc.).
- Quid Pro Quo – Uses the promise of technical support (e.g., IT service, quick fixes, removal of virus, etc.)
Additional Resources
Protect Yourself from Phishing and Social Engineering at KU
At KU, security is a shared responsibility. Your awareness and resistance to phishing and social engineering can help you and KU avoid a serious security breach. Here are some strategies to protect yourself and KU from phishing and social engineering attacks:
- Don't open unsolicited or suspicious email attachments
- Don't follow any instructions or requests unless you are sure of the sender
- Learn to Spot Phishing/Social Engineering:
- Look for misspelled words
- Check to see if the email address matches the sender
- Check to see if the URL in links matches the sender
- Think twice before clicking on links in emails. Verify the destination of links by hovering over the link and looking at the URL in the pop-up.
- Remember, legitimate organizations, including KU, will never ask you to provide confidential personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call. Unless you initiated the request, assume an email or phone call asking for confidential personal information is a phishing attempt. When in doubt, call the organization directly to verify legitimacy of the request.
- If you think you've been tricked into divulging confidential information, don't panic. Phishing/social engineering attacks want you to panic and act without thinking. Immediately contact the KU IT Customer Service Center at 785-864-8080.
Reporting Suspicious Messages
If you receive suspicious email or text messages that you believe are targeting KU:
- Don't click on any links or follow any instructions or requests
- Forward the message to abuse@ku.edu and the KU IT Security Office will investigate.
- Delete the suspicious message
- You can also use our online form to report any suspicious incidents.
If You Think You’ve Been Tricked
If you might have been tricked by a phishing email, online advertisement, or other attack:
- Immediately contact the KU IT Customer Service Center immediately at 785-864-8080.
- Forward the message to abuse@ku.edu and the KU IT Security Office will investigate.
Protect Yourself from Phishing and Social Engineering
Your awareness and resistance to phishing and social engineering can help you avoid the serious consequences of becoming a victim. Here are some strategies to protect yourself from phishing and social engineering attacks:
- Don't open unsolicited or suspicious email attachments
- Don't follow any instructions or requests unless you are sure of the sender
- Learn to Spot Phishing/Social Engineering:
- Look for misspelled words
- Check to see if the email address matches the sender
- Check to see if the URL in links matches the sender
- Think twice before clicking on links in emails. Verify the destination of links by hovering over the link and looking at the URL in the pop-up.
- Remember, legitimate organizations, including KU, will never ask you to provide confidential personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call. Unless you initiated the request, assume an email or phone call asking for confidential personal information assume is a phishing attempt. When in doubt, call the organization directly to verify legitimacy of the request.
- If you think you've been tricked into divulging confidential information, don't panic. Phishing/social engineering attacks want you to panic and act without thinking. Immediately contact the organization related to the confidential information you may have divulged (i.e., your bank, credit card company, etc.).
Reporting Phishing Emails and Social Engineering
If you receive suspicious email or text messages that you believe are phishing attempts, you can forward phishing emails to the company, bank or organization impersonated in the email.
If You Think You’ve Been Tricked:
- Immediately change passwords for any accounts that may have been compromised.
- Immediately contact the organization related to the confidential information you may have divulged (i.e., your bank, credit card company, etc.).
- Review your accounts for any unauthorized activity.
- Contact the organization that was being impersonated directly to inform them of the attack and regain control of your account.
- Enable two-factor authentication on your accounts that provide it.
You can file a report with the Federal Trade Commission at www.ftc.gov/complaint ».