Welcome to the third installment of our 12 month Cyber Security Awareness campaign. This month we’re covering one of the most common types of cyber attack – phishing. The University has recently been targeted by several different phishing attempts, so continued awareness and vigilance are essential.
What is phishing?
Phishing is a type of cyber attack in which criminals attempt to deceive recipients into revealing sensitive information such as usernames, passwords, or financial details or trick victims into clicking on links or downloading malicious software (malware). These attacks fall into categories depending on the source or nature of the phishing attack:
- Email Phishing – Fraudulent emails are designed to appear to be from reputable sources, tricking recipients into clicking on malicious links or downloading harmful attachments.
- Spear Phishing – Sophisticated targeted phishing attacks where cybercriminals tailor their approach to a specific individual or organization, using personalized information to increase their apparent legitimacy.
- Vishing (Voice Phishing) – Phishing attacks conducted over the phone, with attackers pretending to be legitimate entities to lure a victim into disclosing sensitive information. Ofcom have warned that fraudsters are able to change their caller ID to impersonate, or ‘spoof’, reputable organisations: Number spoofing scams – Ofcom
- Smishing (SMS Phishing) – Phishing attacks via SMS, where deceptive text messages containing malicious links or requests for sensitive information or credentials. Staff members at the University have recently reported smishing attempts from individuals pretending to be senior managers.
How to recognize phishing attempts
Unfortunately the sophistication of phishing attacks is only increasing over time, particularly since the arrival of generative AI tools such as ChatGPT, which allow criminals to efficiently gather data about potential victims as well as craft more and more believable scenarios in their communications. Attackers are increasingly able to impersonate legitimate contacts or even inject themselves into ongoing conversations. Be aware that criminals will leverage psychological advantage where possible, for instance creating a sense of urgency or promising a rewarding benefit to the user. Here are some tips to help you spot potential scammers:
- Be wary of communications from unfamiliar or suspicious-looking contacts. Check for slight variations in sender addresses and domain names. Use your mouse to hover over links to preview the destination URL. If this doesn’t match the expected domain, don’t click.
- Avoid opening attachments or clicking on links in unexpected emails, especially if the content seems urgent or intimidating. When in doubt, check with the sender by phone or through a separate email or text message to confirm if the message has actually come from them.
- Be sceptical of requests for passwords, financial details, or personal information in any form of communication you receive. Try to independently verify the sender’s request by directly visiting known trusted sites for confirmation of contact details.
- Take your time to verify the sender’s identity or the origin of the communication. Attackers will often craft their messages to create urgency or warn of negative consequences if immediate action isn’t taken. It is in a criminal’s interest to compel you to act without thinking, and legitimate organisations rarely require immediate action in response to an email, phone call or text message.
Report suspicious communications
- Report any suspicious communications to: askIT@stir.ac.uk
- Flag all suspected phishing emails through the Report function in Outlook:
Complete your Cyber Security Training
Awareness of the threat is our best tool to prevent phishing attacks. Do your part by completing the free training available to all staff and students through the Metacompliance app, accessible directly here: https://universityofstirling.metacompliance.com/ or through Teams along the left-hand side navigation bar:
For more information
Visit our FAQ page on phishing: http://stir.ac.uk/253
Watch this video from Barclays bank: https://www.youtube.com/watch?v=SLEI_u3dyZI&index=5&list=PLecqH2uhOR0ZK5WFrGy30v86MzmvDvC9p
See the previous posts in this series:
October 2023 – Introduction to Cyber Security