phish-ing – /’fiSHiNG/ – noun. The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
A day does not go by without a phishing attack against university accounts. According to UFIT, last year alone there were over 6 billion malicious emails sent to university accounts and with that many, some are bound to get through.
Over the past year there has been a disturbing trend with a marked increase in phishing attacks launched from compromised UF accounts. In simple terms, legitimate UF accounts are being hacked and then those hacked accounts are being used to phish other people at the university. Amazingly, the level of complexity in these attacks is very high; they have created fake UF login pages that look very much like the real thing, but those pages will capture your username and password when you attempt to login to them.
You may be wondering why these bad actors are interested in phishing your UF account, but the answer is as simple as any grift — the bad guys want to steal money. With your UF login credentials they can theoretically re-route your direct deposit information in the UF payroll system, this means your paycheck would go to their bank account and then they would disappear off into the sunset.
Now that we know what these phishing attacks are about and why they are happening, let us look at a few things you can do to protect yourself from falling victim to them.
- Be Suspicious – The most important thing you can do is be suspicious of any email telling you that you must take an action, or follow a link, that you are not expecting. Phishing attacks attempt to coerce you to take an action, frequently they will inform you they are suspending your account unless you confirm it, or they are sending you a bill / payment.
- Enroll in 2FA – Dual Factor Authentication requires that you both KNOW A THING (password) and HAVE A THING (security token). The UF DUO Dual Factor system uses either your cell phone, your desk phone, or a unique key fob as your second factor. That means if your password is compromised, the bad guy would not be able to login as you because they do not have your security token. To enroll in DUO please visit https://it.ufl.edu/2fa/
- Check the IT Alerts Portal – When Phishing Attacks are caught at UF, they are frequently posted on the UF IT Alerts Portal. You can check the portal yourself for recent phishing emails, the URL is https://alerts.it.ufl.edu/
- Alert UF IT – When in doubt, send the email to “firstname.lastname@example.org” and if it is a phishing email, they will record it.
- Educate Yourself – Please read the “Identity Theft and Scams” page by the UF IT Security Team at https://security.ufl.edu/learn-information-security/protect-yourself/email/id-theft-scams/phishing-email/
- Call the Help Desk – If you accidentally fall victim to a Phishing attack, please call the UF Help Desk immediately for assistance with changing your password and enrolling in Dual Factor Authentication. Their phone number is 352-392-HELP (4357).
If you follow the above guidelines you will help keep your UF account safe and secure.