Phishing attempts: it starts with a click

An '@' sign dangles below the water on a fish hook.

Published October 10, 2018

UB students, faculty and staff are receiving more fraudulent emails, phone calls and text messages than ever before. But what actually happens when your personal information gets compromised?

According to Dr. Catherine J. Ullman, UB’s Senior Information Security Analyst, the threat could be immediate, and wide-reaching.

“Someone with your UBITName and password also has access to your social security number, which means they could use your identity to open credit accounts,” Dr. Ullman warned.

“More and more often, people are looking at your credit score when you try to apply for a job or rent an apartment.” These important life steps could be compromised if a scammer has access to just one of your accounts—especially if that account has the same password as your other accounts!

It's human nature

Discussions about cyber attacks in the media tend to focus on the increasingly sophisticated methods scammers use to steal private data. But according to Dr. Ullman, the same old tricks, designed to exploit human psychology, are still being used. And they’re effective as ever.

“It’s really about social engineering,” Dr. Ullman said. “No matter whether an email message, text message or phone call, scammers urge you to act quickly, on an incentive rooted in either desire for something positive—as in the recent fake job offer emails targeting UB students—or to avoid something negative, like your account being locked or having to pay a penalty on your taxes.”

This simple appeal to human nature can be incredibly effective. Dr. Ullman recalls one email, targeted at faculty, that complimented the faculty member on their “good article” (generic language like this, Dr. Ullman points out, is one indicator of a phishing attempt), and then requested more information.

“That one had about a 77% success rate in getting people to click,” Dr. Ullman said.

Stay vigilant, and stay safe

When it comes to email, the signs of a phishing attempt are much the same as ever—deceptive headers, illegitimate website links, spelling and grammatical errors. You can learn more about recognizing a phishing attempt on the UBIT website.

“Context is important,” Dr. Ullman said. “One or two of these things might not catch your attention. But when you look carefully and see a few of these things at once, you know you might be dealing with a fraudulent email.”

Dr. Ullman reminds everyone that email is not a secure method to safely transmit personal data like passwords and social security numbers. That’s why UB will never ask for personal data, like your password, in an email.

See something? Say something

UB students, faculty and staff are encouraged to report phishing attempts to abuse@buffalo.edu. To be sure all the important information is included, see the step-by-step guide for reporting a phishing attempt on the UBIT website.

This action is important because, when a fraudulent phishing email is reported, IT security staff spring into action. “First, we try to get the url in the email taken down,” Dr. Ullman says. That way, even if someone accidentally clicks the link, the page won’t open.

If the email links to a page mimicking a UB login page, additional steps are taken. “We also block the url at UB’s border, so the page can’t be accessed from campus," says Dr. Ullman. IT staff communicate the risk to the entire campus using the UBIT Alert system. There is also a log of phishing attempts that mimic UB’s login portal on the UBIT website, which lists the date, subject, and main indicators for fraudulent email.  

What do I do if my account has been compromised?

If you think you may have already been the victim of a scam, cease any communication with the perpetrator immediately. Then, change the passwords on any accounts that were involved in the scam. Be sure to contact any financial institutions involved. Lastly, file a complaint at the Internet Crime Complaint Center: https://www.ic3.gov.

If you think your identity has been stolen, report the theft and start a recovery plan at https://identitytheft.gov/.