The email looked legitimate and contained an urgent request. Plus, it came from the dean!

“I need you to help me get gift cards now, and I will reimburse you back when I get back to the office.”

The hook dangled, just waiting to snag the unsuspecting employee but, fortunately, she was not caught by the scam attempt or, as it’s commonly called, phishing.

Other University employees may react too quickly to such phishing emails that professional thieves have personalized. Some messages want verification of a financial account, while others ask the receiver to wire funds or to open an attachment that leads to a website created to steal personal information. Some even look like a request from the chancellor.

“Professionals are at work. They study us and know who our supervisors are, who our finance people are and know all about our business process. They can create customized emails designed specifically for you to look like they came from your boss or your best friend,” said Charlie Mewshaw, information security operation and incident handling team lead.

Attackers study organizational charts and will prey on our desires to help our colleagues, Mewshaw said. Checking the sender’s e-mail address and verifying links are critically important.

The University’s automated controls block millions of phishing attempts and malicious links annually. Unfortunately, attackers adapt and some slip through the cracks. Recently there has been an increase in impersonation attempts and gift-card related scams, according to Mewshaw.

With that increase in mind, here are some reminders and resources to help you avoid phishing.

How to spot a phishing message

Some common signs of phishing include:

presenting messages with a sense of urgency requesting action on the part of the recipient

acting on a sense of familiarity

forged links

bad grammar

Top tips

Use a technique called “hover to discover” to determine if links in messages are legitimate or malicious. Place the cursor over a link and wait for the destination to display on screen to verify where the link will take the browser. For phones, hold a finger on an on-screen link and don’t lift it until the URL is displayed.

Make sure that the “from” address actually ends in an @unc.edu domain and isn’t something cleverly formatted like yourname.unc.edu@gmail.com.

Know that ITS does not send emails threatening to cut off account access unless a user logs in to “verify” their account.

Resources