Don’t Take the Bait

Phishing attacks occasionally get through even the best defenses, and UC Santa Barbara is no exception. With National Cyber Security Awareness Month in full swing, the university’s information security team is reminding the campus community to be careful with their email.

“Email is a path for criminals to do bad things. And some of those things happen right here on this campus,” said Sam Horowitz, the university’s chief information security officer. Just this past July criminals impersonated Jeffery Milem, dean of the Gevirtz Graduate School of Education, in a phishing attack asking university staff to purchase iTunes gift cards on his behalf.

The FBI released a report in September detailing the scope of business email compromise, a form of phishing. The bureau recorded $26 billion in losses from phishing attacks of this source between June 2016 and July 2019, though the actual number may be higher.

Attackers often impersonate a trusted source like a work colleague and go through several correspondences to establish trust. Then they’ll ask for personal information, like usernames and passwords, or some sort of favor, like purchasing gift cards and giving them the codes. Criminals target students in particular with fake job offers, Horowitz said.

“In other set ups, the email promises something wonderful or threatens dire consequences, usually with a time limit, enticing someone to go to a website that impersonates our own login page,” he added.

Fortunately, the university has many safeguards in place to attempt to prevent these scams from reaching inboxes and to catch them when they do. And an informed and observant campus community is part of this system.

Google provides nearly all email systems on campus, so the university benefits from the company’s strong security infrastructure. “Excepting, perhaps in China, Gmail is the major email provider in the world at this point,” said Shea Lovan, who oversees the campus’s email as the identity and collaboration architect. “And their message hygiene is essentially applying machine learning to those attacks across their entire collection of billions of accounts.”

Google incorporates user feedback to train its algorithms to recognize new phishing attacks. Both Horowitz and Lovan recommend reporting a message to Google if you suspect it is a phishing attack. You can do this directly from your online Gmail box. Simply click on the three vertical dots next to the date on the top right of the message and select “report phishing.”

If you use an email application like Apple Mail or Outlook, Lovan recommends logging into Gmail on a web browser specifically to report it to Google. If the company receives enough reports, they can delete phishing messages even after they’ve been delivered.

You can also report suspicious emails to the university’s IT team under the security tab on the IT website. Click “report a security incident,” and select “report harassing or unwanted email.”

Regardless of machine learning and advanced filters, the most important part of email security is the user. “You need to be skeptical,” said Horowitz, “you need to look carefully at the emails, you need to pay attention to anything that’s out of place or out of character.”

Verify email addresses of people you know when the mail only displays their name. Be aware of peculiar grammar or messages that seem odd, and verify a person’s address if your email manager only displays their name, Lovan suggested. If in doubt, confirm communication with someone through another channel.

“And nobody trustworthy will ever, under any circumstances, ask you for your password via email,” he added.