What is Phishing?
Phishing is a form of cybercrime that uses email and other communication mechanisms to trick people into divulging personally identifiable information or PII.  PII is data that, either on its own or when combined with other data, can be used to identify a specific individual.  Social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and username password combinations are all examples of PII.

Phishing Statistics:

  • 1 in 14 users were tricked into following a link or opening an attachment, and a quarter of those fell victim more than once. (1)
  • Almost half of the confirmed breaches in the education sector involved social engineering tactics.  (1)
  • Phishing is the most prevalent social engineering tactic used against educational institutions.  (1)
  • 90+% of phishing attacks are used to steal credentials.  (1)

1. Verizon Data Breach Investigation Report

 

 

How Does Phishing Work?
 
Cybercriminals pose as legitimate businesses or organizations and send socially engineered messages to trick their victims into:

  • Providing their credentials (username and password) or other personally identifiable or private information
  • Launching malicious files on their computers 
  • Opening links to infected websites
  • Opening attachments that do things like plant malware onto the user’s device that steals credentials and other PII directly by collecting this data when it is entered by the user

While the majority of phishing messages are delivered via email, they can also come from other sources, including:  

  • Phone calls/Voicemails
  • Fraudulent software (e.g, fake anti-virus)
  • Social Media messages (e.g., Facebook, Twitter)
  • Advertisements
  • Text messages

Why Phish SAC?
 
Colleges like SAC, store and manage hundreds of thousands of records containing PII, which means we are a target rich environment.   The market for stolen PII is enormous and a single piece of stolen PII can sell for anywhere from a couple of dollars to a couple of thousand dollars, depending on the type of information.  This makes SAC Data a lucrative target for phishers. 

 

How Does Phishing Endanger SAC?
 Phishing is one of the top cybersecurity threats the College faces because it is often the primary attack vector used to obtain the information needed to launch other types of attacks.  Simply opening an email, replying to an email, voicemail, or text, opening an unknown attachment, or clicking on a link in a phishing message poses a serious security risk.

  • Identity Theft: 
    • Once you provide your personal information in response to a phishing attempt, this information can be used to access your financial accounts.
    • Additionally, stolen PII can be a reportable breach for the College, which can pose a significant financial risk for SAC.

 

  • Compromising Institutional Information:
    • If your SAC College account is compromised, cybercriminals may be able to access sensitive institutional information like research data.  
    • Credentials obtained via phishing attacks can be used to get inside the College network making it easier for cybercriminals to launch lateral attacks aimed at gaining access to secure resources.

 

  • Loss of data: 
    • Some phishing attacks will attempt to deploy crypto malware on your machine, also known as ransomware, which is malicious software that encrypts the files on a computer and denies owners access to their files until they pay a ransom.  
    • Ransomware attacks can result in the loss of personal data as well as institutional and/or research data that is improperly stored on a single user device.

 

  • Malware infection: 
    • Some fraudulent emails include links or attachments that, once clicked, download malicious software to your computer. 

How to Spot a Phishing Message
 
There are often clues hidden in a phishing message that you can use to determine if a message you have received is a phishing message including:

  • The message creates a sense of urgency meant to inspire a quick user response, generally by indicating the user needs to take action immediately in order to:
    • Avoid a negative consequence like having email access shut off
    • Get a positive benefit like a financial incentive
    • See or learn something exciting or forbidden
  • Most phishing messages include at least two of the following telltale phishing features:
    • Lists a sender that differs from the email address it is sent from
    • Claims to be from a legitimate company but come from an email address that is not linked to that company (i.e. claims to be from DHL but comes from a Gmail account)
    • Has no branding of any kind (SAC or other company Logo, email signature, etc.)
    • Includes references to SAC departments or services that do not exist
    • Uses unusual words, syntax, or phrasing; contains simple spelling and grammar mistakes
    • Includes direct links to login pages
    • Includes an attachment with a generic name

 

What to Do If You Receive a Phishing Email
 
CONFIRM IT 

  • Legitimate SAC College communications that have been reported as phishing are also posted on our Yammer Page for reference
  • If you don’t see it posted, Don’t Assume it is Legitimate!  It may be an unknown phishing attempt that hasn't been reported yet.

If you aren’t sure, DO NOT enter your credentials!

  • Always confirm a login page before entering your credentials
  • Some Phishing messages provide links to a fake branded login pages that look just like the real ones

 

REPORT IT

If you are unsure about a message and you cannot confirm it is legitimate, forward it to: Helpdesk@staugustine.edu and then delete the message from your inbox.