Week 1 - Don’t get burned by scam emails
Phishing makes up 44% of social engineering incidents, and 98% of phishing incidents are via email. But it isn’t enough to simply know that phishing emails are out there. You also need to be able to recognize and report them.
Here are some chef tips on how to clearly spot a fake phishing email so you do not get burned:
Urgent message
An urgent phishing email is designed to get you to act fast. It might tell you, "Your account was hacked or will be deactivated — click here to restore it!" Fear makes people do things without thinking, so slow down!
Login or password message
Another type of phishing email asks you to verify your account by logging into a (fake) webpage or updating your credentials. These emails can collect your username and password, giving a hacker instant access to your account.
Corporate communications
According to the 2023 Verizon Data Breach Report, business email compromise attacks have almost doubled across their entire incident dataset. We've seen this firsthand with our customers. Hackers use corporate communications and emails from stakeholders such as HR or leadership, which tend to have the highest click rate. An internal message phishing email might ask you to click on a link to read and sign a policy, read a document about a company-wide update or even hand over sensitive information.
Examples of "bad actors" trying to impersonate people at TAMU-CC:
- Human Resources department: They scare you into believing something is wrong with your employment or health safety. They may tell you to visit an unusual website to verify your information or receive health information. They may give you a malicious file attachment (e.g., Word or PDF document) that supposedly answers some urgent questions or could ask for personal information.
- Information Technology: They scare you into believing your account is disabled for unknown reasons or you have been locked out of an application. They may tell you to go to an unusual website to recover what they claim you lost. Or they may give you a malicious file attachment (e.g., Word or PDF document) that supposedly has instructions for recovering your access. Account-related activities will all be through My IslandID, so you can ignore these messages.
- President or other organizational leaders at TAMU-CC: They tell you they need your specific and urgent assistance on something, like buying gift cards or getting your cell phone number. To make you think you should not verify who it is, they may also claim they cannot come to the phone because they are in a meeting. If they are texting your cell phone, you cannot confirm who it is, and the university cannot block them from contacting you directly. Think about it: Would the President really feel like they could not stop a meeting and call you directly? And do you usually buy gift cards for the President?
Reward or "free gift" message
Receive an invite to a free movie premiere? Be on high alert! Free things are enticing, but they can also be dangerous. Hackers are trying to bait you into clicking a malicious link.
When you smell phish, report it immediately – or you might get burned
If you think you may have encountered a phishing email, forward the email to security-incident@tamucc.edu. Once the Office of Information Security is notified, they can help you determine if it is a phishing email. Whatever you do, do not click on any links, open any attachments, reply to the email, or send it to anyone else!
Free Webinar
Speaker Series: Texas Health and Human Services Cyberland Speaker Series
Speaker: Stephanie (Snow) Caruthers, Chief People Hacker, IBM X-Force
Date/Time: Tuesday, October 8, 10am - 11am
Human hacking, the oldest hack in the book. Join us in the Deception Dominion as we recount successful social engineering case studies, and how they could have been avoided. Plus, a peek into the future of how AI will aid vishing attacks.