From the Office of Information Technology

Cybercriminals use phishing — a type of social engineering — to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via email. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive and low risk; any cybercriminal with an email address can launch one.

According to Verizon's 2017 Data Breach Investigations Report, the education sector has seen a rise in social engineering–based attacks. Students, staff and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40 percent of these breaches.

Knowing what you're up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

• Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.


• Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via email. UAF definitely won't. Not sure if the email is a phish? Email the UAF OIT Helpdesk. 


• Beware of attachments. Email attachments are the most common vector for malicious software. When you get a message with an attachment, delete it — unless you are expecting it and are absolutely certain it is legitimate.


• Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating UAF and other schools, financial institutions, retailers and a wide range of other service providers.


• Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, email or telephone number.


• Check the sender. Check the sender's email address. Any correspondence from an organization should come from an organizational email address. A notice from UAF or another university is unlikely to come from "YourIThelpdesk@yahoo.com."


• Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.


• Don't click links in suspicious messages. If you don't trust the email or text message, don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.


• Still unsure? The UAF OIT Service Desk is a great resource to get a second opinion on the legitimacy of an email or attachment. The OIT Get Help page gives students, faculty and staff multiple ways to reach out for phishing verification or security questions.