Phishing attacks are a constant threat for Biological Sciences Division (BSD) staff and faculty.

Every day, 156 million phishing e-mails are sent and 8 million of these e-mails are opened. The emails often appear to be sent by legitimate businesses or from employees within the organization and often bypass email filters. The goal is to fool you into clicking on a link within the email and prompt you to reveal confidential information or download malicious software.

Review the following resources to learn how to protect yourself and how to report suspicious communications.

How Phishing attacks work:

  • Information harvesting: The goal is to fool you into clicking on a link to get your login and password, or your credit card number. These websites look legitimate, with exactly the same look, imagery and feel of your online bank or store, but they are fake websites designed by the cyber attacker to steal your information.
  • Website infection:The goal is to infect your computer when you click on a link which directs you to a website that silently installs malicious software on your device. This gives a cyber-criminal full control.
  • Malicious attachments: The goal is to infect your computer when you open a malicious attachment, such as PDF files or Microsoft Office documents. When these attachments are opened , malicious software is silently installed on your device and gives a cyber-criminal full control.
  • Social Engineering: Classic examples include notices that you’ve won the lottery, charities requesting donations after a recent disaster, or a dignitary who needs to transfer millions of dollars into your country and would like to pay you to help them with the transfer. Don’t be fooled; these are scams created by criminals who are after your money.

How to protect against Phishing attacks:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Do not click on links in emails. Instead, go to the business’ webpage in a separate browsing window and log in to your account.
  • Hover your mouseover the link (without clicking). This will show you the true destination of the link. If it is different than what is shown in the email, it may be an indication of fraud.
  • Remember that no one will ever ask for your username and password for any reason. Don’t share your login credentials when requested via an email or other means.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Just because you received an email from someone you know does not mean that person actually sent it.
  • If an email claims to be from our medical center, the BSD or the University, and asks you to provide your private information, it is a scam.
  • Send suspicious emails to the BSD Information Security Office at Security staff can take extra steps to protect everyone when we’re made aware of the exact attacks.

Additional Resources

BSD UCM Phishing Email Assessment and Prescriptive Education Initiative

Federal Trade Commission: Phishing Scams