January 30, 2013 | You’ve probably gotten more than one of them: emails that appear to be from UCAR or your bank, asking for passwords or other sensitive information. If so, then someone is phishing—and if you get hooked, it could be risky for you and the organization.

In a nutshell: Click here to jump to an infographic outlining major warning signs to watch out for.

In late 2012, members of the Security Engineering Group (which serves all of NCAR and UCAR from its base in CISL) detected a spike in successful "phishing" attempts. The group teamed with CISL colleagues in the Web Engineering Group and took action to remedy the situation from an engineering point of view (see Transition from People Search to Staff Directory).

But phishing can't be stopped by engineering alone, especially in an organization that values communication and staff accessibility. Here’s a primer on how to keep phishers from snagging you.

Phishing defined

Phishing is an attempt to obtain vital information about your identity—such as a password, your Social Security number, or similar sensitive data—by impersonating a bank, business, or colleague you do business with. It's sometimes called social engineering because, instead of hacking into computer code, it's an attempt to win your confidence and trust.

Phishing can be done by letter or over the phone, but email is the most common vehicle. Phishing attempts are one of many types of spam (see sidebar).

How might phishing artists know that you have an account with PayPal or Bank of America? They don't. However, millions of people do, so a mass phishing attempt will inevitably hit some bullseyes. Likewise, a phisher might use a set of UCAR email addresses to send a note about "reaching your email limit" without knowing how many messages are in your queue.

All this makes it easy for a phishing attempt to appear legitimate at first glance—especially when it's early morning, your caffeinated beverage of choice has not been fully consumed, you're trying to speed through your in-box, and a message describes a financial account you really hold or looks like it's from UCAR or a university colleague (known as spoofing). For example, the message header might include:

UCAR Webmaster <noreply[at]ucar.edu>
UCAR Security Team <security1[at]ucar.edu>
UCAR Staff Notes <ucarstaffnotes[at]ucar.edu>

You can compare these to previous messages that you know are legitimate, but keep in mind that scam artists have become very good mimics of legitimate messages.

There's no risk in opening a message and reading it. But clicking on links inside the message can lead to trouble. So if something about the message smells "phishy," either delete it or investigate further.

Think before you click

What should you do if you're not sure whether the message you just opened is legitimate or not? When in doubt: don't click. Instead, use the best practices and examples below to help you become a human phishing detector.

It's useful to watch for incorrect grammar, misspellings in the text, or trick spellings within links (for example, "Arneriprise.com" looks like "Ameriprise.com" until you notice it's spelled
A r n e r i p r i s e).

If you're still unsure, apply "Rule Number 1": Verify the sender's identity before you share anything about yours. One way to do this is to perform an independent search for official contact information and then either start a fresh email message (i.e., don't hit "Reply") or initiate a phone call to ask if the message is legitimate.

More tips:

• Never provide a password, credit card number, or other sensitive information via email. No one involved in IT at UCAR or NCAR will ever ask you for your password in an email message, and neither will any legitimate business.
  
  
• Verify links before you click. The URL that you see in a message may differ from the actual URL that clicking would take you to. Before you click on a link in an email message, hover your mouse over the link. Compare the text you see with the link revealed as you hover. If they don't match, don't click. If you have any doubts, apply Rule Number 1.
  
  
• Legitimate messages from UCAR will always follow these best practices. For example, you will receive an email message about twice a year when your UCAS password is about to expire. That message will not ask you to click on a link. Instead it requires you to manually type in the correct web address.
  
  
• Learn to recognize the other signs of phishing, and help spread the word. Savvy systems administrators at UCAR and NCAR brought the infographic below to our attention. We encourage you to review and share it widely with colleagues, family, and friends. We also urge you to share this article with visitors and new employees.

The anatomy of an email phishing expedition, exposed. Using a sample message, each red flag calls out typical warning signs in these categories: From, To, Date, Subject, Links, Other Content, and Attachments. Click here or on the graphic to open a full-sized PDF for reading, printing, or downloading. (Graphic courtesy CyberHeist News, KnowBe4.com.)

    back to top