Week 1 - Now Showing: Recognizing and reporting phishing

The reviews are in: phishing is popular among hackers and can be catastrophic for organizations. Phishing makes up 44% of social engineering incidents, and 98% of phishing incidents are via email. But it isn't enough to simply know that phishing emails are out there. You also need to be able to recognize and report them.

Lights. Camera. Hack-tion

Let's preview some of the big hacker heists that hit the screens this year:

Urgent message

An urgent phishing email is designed to get you to act fast. It might tell you that your account was hacked or will be deactivated — click here to restore it! Fear makes people do things without thinking, so slow down!

Login or password message

Another type of phishing email asks you to verify your account by logging into a (fake) webpage or updating your credentials. These emails can collect your username and password, giving a hacker instant access to your account.

Corporate communications

According to the 2023 Verizon Data Breach Report, business email compromise attacks have almost doubled across their entire incident dataset. We've seen this firsthand with our customers. Hackers use corporate communications and emails from stakeholders such as HR or leadership, which tend to have the highest click rate. An internal message phishing email might ask you to click on a link to read and sign a policy, read a document about a company-wide update or even hand over sensitive information.

Examples of "bad actors" trying to impersonate people at TAMU-CC:

• Human Resources department: They scare you into believing something is wrong with your employment or health safety. They may tell you to visit an unusual website to verify your information or receive health information. They may give you a malicious file attachment (e.g., Word or PDF document) that supposedly answers some urgent questions or could ask for personal information.
• Information Technology: They scare you into believing your account is disabled for unknown reasons or you have been locked out of an application. They may tell you to go to an unusual website to recover what they claim you lost. Or they may give you a malicious file attachment (e.g., Word or PDF document) that supposedly has instructions for recovering your access. Account-related activities will all be through My IslandID, so you can ignore these messages.
• President or other organizational leaders at TAMU-CC: They tell you they need your specific and urgent assistance on something, like buying gift cards or getting your cell phone number. To make you think you should not verify who it is, they may also claim they cannot come to the phone because they are in a meeting. If they are texting your cell phone, you cannot confirm who it is, and the university cannot block them from contacting you directly. Think about it: Would the President really feel like they could not stop a meeting and call you directly? And do you usually buy gift cards for the President?

Reward or "free gift" message

Receive an invite to a free movie premiere? Be on high alert! Free things are enticing, but they can also be dangerous. Hackers are trying to bait you into clicking a malicious link.

If you think you may have encountered a phishing email, forward the email to security-incident@tamucc.edu. Once the Office of Information Security is notified, they can help you determine if it is a phishing email. Whatever you do, do not click on any links, open any attachments, reply to the email, or send it to anyone else!