Phishing attempts start with a click

UB faculty, staff and students are receiving more fraudulent emails, phone calls and text messages than ever before. But what actually happens when your personal information gets compromised?

According to Catherine J. Ullman, UB’s senior information security analyst, the threat could be immediate and wide-reaching.

“Someone with your UBITName and password also has access to your social security number, which means they could use your identity to open credit accounts,” Ullman warns.

“More and more often, people are looking at your credit score when you try to apply for a job or rent an apartment,” she says, noting these important life steps could be compromised if a scammer has access to just one account — especially if that account has the same password as the user’s other accounts.

Discussions about cyberattacks in the media often focus on the increasingly sophisticated methods scammers use to steal private data. But Ullman says the same old tricks, designed to exploit human psychology, are still being used. And they’re as effective as ever.

“It’s really about social engineering,” she explains. “No matter whether an email message, text message or phone call, scammers urge you to act quickly on an incentive rooted in either desire for something positive — as in the recent fake job offer emails targeting UB students — or to avoid something negative, like your account being locked or having to pay a penalty on your taxes.”

This simple appeal to human nature can be incredibly effective. Ullman recalls one email, targeted at faculty, that complimented faculty members on their “good article” (generic language like this, Ullman points out, is one indicator of a phishing attempt), and then requested more information.

“That one had about a 77 percent success rate in getting people to click,” Ullman says.

When it comes to email, the signs of a phishing attempt are much the same as ever: deceptive headers, illegitimate website links, spelling and grammatical errors. Learn more about recognizing a phishing attempt on the UBIT website.

“Context is important,” Ullman says. “One or two of these things might not catch your attention. But when you look carefully and see a few of these things at once, you know you might be dealing with a fraudulent email.”

She stresses that email is not a secure method to safely transmit personal data like passwords and social security numbers, which is why UB will never ask for personal data, like your password, in an email.

Members of the UB community are encouraged to report phishing attempts to abuse@buffalo.edu. A step-by-step guide on reporting phishing attemps is available on the UBIT website.

This action is important because when a fraudulent phishing email is reported, IT security staff spring into action. “First, we try to get the URL in the email taken down,” Ullman says, adding that even if someone accidentally clicks the link, the page won’t open. If the email links to a page mimicking a UB login page, additional steps are taken. “We also block the URL at UB’s border, so the page can’t be accessed from campus,” she says.

IT staff communicate the risk to the entire campus using the UBIT Alert system. There is also a log of phishing attempts that mimic UB’s login portal on the UBIT website, which lists the date, subject and main indicators for fraudulent email.

Faculty, staff and students who think they may have been the victim of a scam should cease any communication with the perpetrator immediately. They then should change the passwords on any accounts that were involved in the scam and contact any financial institutions involved. And they should file a complaint at the Internet Crime Complaint Center.

Anyone who thinks their identity has been stolen can report the theft and start a recovery plan at the Federal Trade Commission website.