Powered by the KU IT Security Office

Phishing & Social Engineering

Phishing

What is Phishing?

Phishing is when criminals try to trick you into giving out confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.) by impersonating a legitimate organization, offering a chance to win a prize if you register, etc. Phishing attacks happen by email, phone, online ad and text message.

Phishing messages may appear to be from organizations you do business with (e.g., banks, software companies, healthcare, etc.) or work for. They might threaten to close your account or take other action if you don’t respond. The senders of these messages are criminals phishing for your valuable personal information to commit fraud.

Legitimate organizations, including KU, will never ask you to provide sensitive personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call.

Phishing Examples

Criminals are thinking up new phishing attacks all the time. These are just a few examples of common phishing messages:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
  • “You have won a free $500 Walmart gift card. Click here to collect your card.”
  • “Test the new iPad and keep it when you’re finished. Just use the iPad and tell us what you think. Call us to become part of this exclusive test.”

Social Engineering

What is Social Engineering?

Social engineering is when criminals attempt to trick people into revealing confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.), or trick them into clicking links that lead to malicious websites. Social engineering can occur by email, web, phone, or in-person. Social engineering is the most commonly used attack by criminals to gain access to confidential personal information. Phishing is the most common type of social engineering attack.

Common Traits of Social Engineering Attacks:

  • Request sensitive personal information (e.g., password, Social Security Number, bank account, etc.)
  • Have a sense of urgency (e.g., threaten to shut off service, lose money or access, etc.)
  • Appeal to authority (e.g., appear to be from KU, your bank, a legitimate organization, etc.).

Social engineering exploits the willingness of people to provide information when asked politely and in a reasonable manner.

Types of Social Engineering

Here a just a few of the common social engineering strategies criminals use to try and gain access to valuable information:

  • Phishing – Recreating websites and/or login pages that capture confidential personal information (username, passwords, etc.). and directing users there via email, text, online ad or phone.
  • Spear Phishing – Targeted phishing attempts that focus on a specific high-value individual or group.
  • Scareware - A scary pop-up message attempts to get you to enter confidential personal information to fix a virus/infection on your computer. To create a heightened sense of urgency, these malicious messages often include noises.
  • Vishing – Phishing over the phone, tricking people into calling a number and providing confidential information.
  • Baiting – Using an item to lure in a victim (e.g., free devices, music, movies, etc.).
  • Quid Pro Quo – Uses the promise of technical support (e.g., IT service, quick fixes, removal of virus, etc.)

Additional Resources

Protect Yourself from Phishing and Social Engineering at KU

At KU, security is a shared responsibility. Your awareness and resistance to phishing and social engineering can help you and KU avoid a serious security breach. Here are some strategies to protect yourself and KU from phishing and social engineering attacks:

  • Don't open unsolicited or suspicious email attachments
  • Don't follow any instructions or requests unless you are sure of the sender
  • Learn to Spot Phishing/Social Engineering:
    • Look for misspelled words
    • Check to see if the email address matches the sender
    • Check to see if the URL in links matches the sender
  • Think twice before clicking on links in emails. Verify the destination of links by hovering over the link and looking at the URL in the pop-up.
  • Remember, legitimate organizations, including KU, will never ask you to provide confidential personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call. Unless you initiated the request, assume an email or phone call asking for confidential personal information is a phishing attempt. When in doubt, call the organization directly to verify legitimacy of the request.
  • If you think you've been tricked into divulging confidential information, don't panic. Phishing/social engineering attacks want you to panic and act without thinking. Immediately contact the KU IT Customer Service Center at 785-864-8080.

Reporting Suspicious Messages

If you receive suspicious email or text messages that you believe are targeting KU:

  • Don't click on any links or follow any instructions or requests
  • Forward the message to abuse@ku.edu and the KU IT Security Office will investigate.
  • Delete the suspicious message
  • You can also use our online form to report any suspicious incidents.

If You Think You’ve Been Tricked

If you might have been tricked by a phishing email, online advertisement, or other attack:

  • Immediately contact the KU IT Customer Service Center immediately at 785-864-8080.
  • Forward the message to abuse@ku.edu and the KU IT Security Office will investigate.

Protect Yourself from Phishing and Social Engineering

Your awareness and resistance to phishing and social engineering can help you avoid the serious consequences of becoming a victim. Here are some strategies to protect yourself from phishing and social engineering attacks:

  • Don't open unsolicited or suspicious email attachments
  • Don't follow any instructions or requests unless you are sure of the sender
  • Learn to Spot Phishing/Social Engineering:
    • Look for misspelled words
    • Check to see if the email address matches the sender
    • Check to see if the URL in links matches the sender
  • Think twice before clicking on links in emails. Verify the destination of links by hovering over the link and looking at the URL in the pop-up.
  • Remember, legitimate organizations, including KU, will never ask you to provide confidential personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call. Unless you initiated the request, assume an email or phone call asking for confidential personal information assume is a phishing attempt. When in doubt, call the organization directly to verify legitimacy of the request.
  • If you think you've been tricked into divulging confidential information, don't panic. Phishing/social engineering attacks want you to panic and act without thinking. Immediately contact the organization related to the confidential information you may have divulged (i.e., your bank, credit card company, etc.).

Reporting Phishing Emails and Social Engineering

If you receive suspicious email or text messages that you believe are phishing attempts, you can forward phishing emails to the company, bank or organization impersonated in the email.

If You Think You’ve Been Tricked:

  • Immediately change passwords for any accounts that may have been compromised.
  • Immediately contact the organization related to the confidential information you may have divulged (i.e., your bank, credit card company, etc.).
  • Review your accounts for any unauthorized activity.
  • Contact the organization that was being impersonated directly to inform them of the attack and regain control of your account.
  • Enable two-factor authentication on your accounts that provide it.

You can file a report with the Federal Trade Commission at www.ftc.gov/complaint ».


KU IT on Twitter  KU IT on Facebook  KU IT on Instagram  KU Information Technology Home

Report a Security Incident

Security Awareness Tip of the Day (SANS)
Technology Help

Call KU IT Customer Support

785-864-8080
Phone support

Email KU IT Customer Support

itcsc@ku.edu
Support via Email

Faculty/Staff Support

Faculty/Staff Support
Technology Support Centers

KU IT Knowledge Base

Knowledge Base
FAQs & More

Virtual Service Desk

Submit Help Ticket
Online Help

Call KU IT Customer Support

913-626-9619
Phone support

Email KU IT Customer Support

kuec_support@ku.edu
Support via Email

KU IT Knowledge Base

Knowledge Base
FAQs & More

Request Edwards IT Support

Request Edwards IT Support
Online Help

Comments or ideas on how we can serve you better? Send us your feedback!

KU Today