Phishing

 

“Phishing is a fraudulent attempt, usually made through email, to steal your personal information”. – PhishTank.

Phishing is unfortunately something that we have to learn to live with, it’s not going to go away any time soon. The best way to protect ourselves against phishing is to learn to identify it.

Things to look out for

1. A sense of:
   1. Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
   2. Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
   3. Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
   4. Guilt or sympathy – “I am dying of…” type of email.
   5. So if an email makes you feel: guilty, panicky, afraid, or greedy, stop and ask yourself why. It’s probably a phishing email.
2. ‘To‘ and ‘From‘ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address, a legitimate email would be addressed to your actual email address.
3. Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely.
4. Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
5. Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
6. Headers and signatures – these can be forged, phishing emails often use them to appear more legitimate.

The consequences of responding to a phishing email (or opening an attachment in a phishing email) are that an attacker can steal your information and/or take control of your machine.

If you are ever unsure whether an email is a phishing email or not, before you click or respond, just ask us – isg@ucl.ac.uk.

In my next blog post I will be talking about test phishing campaigns.