Campus News

Don’t take the bait

Employees have a new and easy way to report phishing attempts — a button in Outlook mail.

black and white puppies and a skunk
Phishing is when an email purporting to be from a legitimate source attempts to trick you into volunteering your personal or credential-related information. These messages vary in content, but all claim to be from legitimate sources.

Phishing is still a problem, so don’t take the bait and get hooked, says Assistant Vice Chancellor for Institutional Privacy and Chief Information Security Officer Dennis Schmidt.

“Phishing is our greatest threat. Of all the things we do and all the threats out there, phishing is still number one on my list,” he says. Phishing is fraudulently sending emails to obtain information under false pretenses.

Attacks against educational institutions are increasing significantly, up 29% worldwide and 17% in the United States, according to Checkpoint Software, an organization that tracks that data. Each institution averages about 443 attacks each week, though Carolina probably gets more than that, Schmidt says. Attacks using ransomware are also on the rise. On average, successful ransomware attacks cost institutions about $3.78 million each.

As of Sept. 15, Carolina employees have a quick and easy way to report phishing messages directly to Microsoft by using a button located in the Outlook mail toolbar. The report automatically goes to Microsoft for evaluation. If it is a phishing message, Microsoft can then flag it worldwide and remove it from mailboxes.

Schmidt recently spoke to the Employee Forum about how to avoid falling for a phishing message. What follows is a condensed version of his remarks in a question and answer format.

Is phishing still a problem?

At Carolina, we still fall for phishing emails. Our IT department sent mock phishing messages to employees. About 40% of the faculty and staff responded to a message by clicking on the link and 30% of them provided their ID and password. That’s very concerning. IT staff are also vulnerable: 24% of the IT staff clicked on the link and 8% provided login credentials.

For those employees who fall for the phish, we provide a training session to remind them of good email practices. Phishing has evolved over the last 10 years, from sending a generic message to targeted messages.

What are some clues that an email might be a phish?

A telltale sign is a sense of urgency. The email subject line might ask for account verification within the next 24 hours, or you’ll lose access.

We still see bad grammar, but not as much as before. They’re getting better English speakers to draft more believable messages. If you see a message that just doesn’t seem to make sense, chances are it’s a bad one.

Roll over the hyperlinks with your cursor to check the URL. In some cases, it may be totally different.

One of the most important things to check is who the email is from. Look at the entire “from” line, not just the name. In 90% to 95% of the cases, looking at the from line can tell you if it’s a bad message. Phishing messages may look like they come from somebody you know, so expand the email address in addition to the name. In Outlook, you can do this by right clicking on the name to open the contact card. On an iPhone, touch the name to expand it to see if it’s a UNC email address.

Do phishers impersonate people?

Impersonation attempts are one of our bigger threats, and we’ve seen a lot of successful ones on campus. Phishers study employees who might be targets, figuring out jobs, supervisors and organizational structures.

As an example, a phisher might target an administrative assistant for a senior leader using a free email address. The leader’s name will come up in the from line, but if you expand it, it will be the leader’s name.unc.edu@gmail.com or another free email address.

The message might say: “I’m stuck in a meeting. They won’t let us use cell phones in the meeting. My niece has a birthday party coming up, and I really need you to go pick up some gift cards for me. I’ll pay you back when I get out of a meeting, but I really need those. All I need you to do is scrape the numbers off the back, take a picture of them and send them to me.”

To please the boss, the email recipient makes the purchase and sends the numbers. That may sound strange, but that has happened over and over again on our campus. People fall for this scheme and use their own money in the process.

In another example on campus, a business officer got an email claiming to be from the chief information officer with a request to wire money. The business officer immediately recognized it as a phishing email and reported the message.

What if an employee does get hooked? What should they do?

If you’ve fallen victim to a phishing message and submitted your log-in credentials, immediately change your password by going to the onyen services page. Call the service desk at 919-962-HELP and let them know so that ITS can take a look at it.

We also can help clean up your account, if the phishers have made changes to the back end of things. Our goal is to make you safe.

Where can we go for more information?

Visit safecomputing.unc.edu. I’m also available to give presentations at staff meetings if your team is interested in hearing more.