Phishing Reminder

May 15th, 2019

Phishing is always on our radar here at ASU. It remains the #1 successful attack vector for hackers to get your personal information year after year. Understanding the social engineering schemes of phishing is key; rather than “break into” your accounts or information, these attackers find it’s easier in many cases just to ask you for your information.

For example, phishers can glean information we willingly post to social media platforms to guess popular password constructions or the answers to security questions. They can also pose as figures from your workplace or a reputable organization you do business with as they probe for information through multiple channels.

ASU is not alone in these schemes. Many, if not most organizations, have seen attempts from phishers to pose as someone you know and trust. In our case they might pose as someone you work with at ASU. In these scams, you may be asked to send your password, or log in to a link that seems to lead to an official ASU site.

We can assure you ASU will never ask for your password, and most any other company or organization won’t either. You can also detect an attacker through this method if you carefully study their email address; at first glance, they can appear real, but there is usually one character off or some other inconsistency.

A few examples of ASU emails that are almost correct but are likely malicious are:

Note how the first two are from email providers where anybody can make their own email address. The third is almost right, however it isn’t really from “asu.edu.” If there is additional stuff after the “@asu.edu”, that means it’s from a different website, which anybody can create.

Phishing emails will almost always include some call to action, such as clicking a link or sending some kind of information to stall some scary responsibilities. Many phishing scams involve posing as representatives of the IRS. The links in these kinds of emails can install malware on your device without your knowledge, lock your computer until you pay a “fee” (this is called ransomware), collect information from your device, or any number or other things that will disrupt your day.

“Whaling” is another aspect of phishing. These schemes involve “high-value” targets, such as high-ranking officials or employees, and are usually more tailored to a target’s identity to appear more legitimate.

All of these tactics can be combated with a few easy steps:

Think twice before opening unsolicited emails.
Be extremely cautious of any messages or phone calls asking for your personal information.
Think before opening attachments.
Don’t open links from anyone you don’t know; even if they look credible, they might lead to something that will leave you vulnerable.
If a message looks suspicious, send it to infosec@asu.edu for review.

If you find yourself the victim of phishing:

You should immediately change your password and the passwords of any other account that used the same password provided to the attacker. Always set different passwords for different accounts.
If the attack collected personal information such as social security number or other personal information that could be used to steal your identity, consider using ASU ID protection service provided through our partner AllClear ID. For more information please visit https://getprotected.asu.edu/creditsafety.
Notify the Information Security office immediately so we can look for unusual activity and potentially protect others. Contact us at infosec@asu.edu.

You can find a full list of tips at https://getprotected.asu.edu/information/phishing.

Make sure to follow UTO on Twitter @ASU_UTO.