January 30, 2013 | You’ve probably gotten more than one of them: emails that appear to be from UCAR or your bank, asking for passwords or other sensitive information. If so, then someone is phishing—and if you get hooked, it could be risky for you and the organization.
In late 2012, members of the Security Engineering Group (which serves all of NCAR and UCAR from its base in CISL) detected a spike in successful "phishing" attempts. The group teamed with CISL colleagues in the Web Engineering Group and took action to remedy the situation from an engineering point of view (see Transition from People Search to Staff Directory).
But phishing can't be stopped by engineering alone, especially in an organization that values communication and staff accessibility. Here’s a primer on how to keep phishers from snagging you.
Phishing is an attempt to obtain vital information about your identity—such as a password, your Social Security number, or similar sensitive data—by impersonating a bank, business, or colleague you do business with. It's sometimes called social engineering because, instead of hacking into computer code, it's an attempt to win your confidence and trust.
Phishing can be done by letter or over the phone, but email is the most common vehicle. Phishing attempts are one of many types of spam (see sidebar).
How might phishing artists know that you have an account with PayPal or Bank of America? They don't. However, millions of people do, so a mass phishing attempt will inevitably hit some bullseyes. Likewise, a phisher might use a set of UCAR email addresses to send a note about "reaching your email limit" without knowing how many messages are in your queue.
All this makes it easy for a phishing attempt to appear legitimate at first glance—especially when it's early morning, your caffeinated beverage of choice has not been fully consumed, you're trying to speed through your in-box, and a message describes a financial account you really hold or looks like it's from UCAR or a university colleague (known as spoofing). For example, the message header might include:
UCAR Webmaster <noreply[at]ucar.edu>
UCAR Security Team <security1[at]ucar.edu>
UCAR Staff Notes <ucarstaffnotes[at]ucar.edu>
You can compare these to previous messages that you know are legitimate, but keep in mind that scam artists have become very good mimics of legitimate messages.
There's no risk in opening a message and reading it. But clicking on links inside the message can lead to trouble. So if something about the message smells "phishy," either delete it or investigate further.
What should you do if you're not sure whether the message you just opened is legitimate or not? When in doubt: don't click. Instead, use the best practices and examples below to help you become a human phishing detector.
It's useful to watch for incorrect grammar, misspellings in the text, or trick spellings within links (for example, "Arneriprise.com" looks like "Ameriprise.com" until you notice it's spelled
A r n e r i p r i s e).
If you're still unsure, apply "Rule Number 1": Verify the sender's identity before you share anything about yours. One way to do this is to perform an independent search for official contact information and then either start a fresh email message (i.e., don't hit "Reply") or initiate a phone call to ask if the message is legitimate.