It is week four and the last week of Cyber Security Awareness Month. This week is all about recognising and reporting phishing. There is also the last chance to win a £20 Amazon voucher.
Recognising and Reporting Phishing
Phishing emails are common these days and whilst email filtering does a good job of removing some if not most of them from our mailboxes, some will always get through. Chances are the ones that get through are the less easy ones to spot.
Stop Skimming and Start Studying
We receive so many emails that we tend to skim them rather than fully read them, but when we do this, we take unnecessary risks. There can be clues on both the surface and just below the surface of the message that can alert us to things that aren’t right.
What to look out for in a phishing email:
- “From” addresses, URLs, and embedded links can all masquerade as things they aren’t – Do not take these items at face value (even if a name, logo, or other identifiers seem familiar and safe). On your PC, hover over—or “mouse over”— these pieces of content and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long press” or “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is actually presented, steer clear.
- The content or topic of a message might not be quite right or not fully relevant to you. Be on alert if the tone of an email from a colleague, friend, or relative seems inappropriate or just doesn’t “sound like” them. Likewise, be sure to question receipt of an invoice or shipping notification that doesn’t make sense based on your ordering history. Thoroughly read what is written; don’t just skim past details.
- Misspellings and poor grammar can be indicators that the email did not originate from a trusted source. This is particularly true with messages that appear to be from a well- known, well-established individual or organisation.
- In general, any unsolicited email—that is, any email that you were not explicitly expecting to receive—should be looked at carefully. But you should be particularly wary of any email that seems like it’s designed to trigger an emotional response— fear, surprise, excitement, concern—and that urges you to respond or act in some way (click a link, download a file, confirm/change a password, etc.).
Think It Through
After you read an email, take a moment to digest it. What you want to do is give yourself the space to act thoughtfully, rather than just reacting in the moment. Be particularly cautious with any email that requests a response or action that could compromise sensitive data, devices, or systems.
Verify, Verify, Verify!
It’s critical to remember that, with phishing scams, things are never what they seem. The reality is that a message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow?
- Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.
- Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you are able to confirm.
- If you’ve received a questionable message from a colleague or friend, contact them via another channel (like a phone call or text message) to make sure they sent it.
- Reach out to the UCL Information Security Group for advice (and to alert them that there is a potential active phishing threat).
See these short videos on spotting warning signs and why reporting is so important from Proofpoint:
Would you like to help UCL researchers improve cybersecurity training (and possibly win an iPad)?
On the topic of phishing, we are working with UCL researchers who are running an independent study on how to improve phishing detection. They need volunteers to take a few minutes of their time to help. Participation includes the chance to win an iPad. If you would like to take part in this study, please register your interest here: https://forms.office.com/r/7c7GeKZZ2y
Launch of CybSafe
Just to let you know that next week we will be launching CybSafe, our new mandatory information security training platform, to all staff. CybSafe is a more immersive cyber security training tool which contains up-to-date training and a knowledgebase. It is an NCSC approved learning platform with short, engaging modules which should take no longer than 30 minutes to complete. If you have any questions on CybSafe please email firstname.lastname@example.org.
Be in with a chance to win a £20 Amazon voucher by answering the following question:
What is the new mandatory information security training platform called?
Send all entries to email@example.com with the subject line: Cyber Security Awareness Month – Week Four.
Entries will only be accepted from UCL email addresses.
*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.