Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In





Phishing and Social Engineering

Phishing and social engineering are terms used to describe how cyber criminals trick people into clicking on malicious links, opening email attachments, and sending your data to them. How do they do it though? Read on through the information below to find out how to identify a scam and what countermeasures we can take as a community.

March 2018: Dropbox Phishing

Recently, the IT Division was notified about a phishing attempt which looks like someone sent you an email with Dropbox attachments. After navigating to the website, you are prompted to sign in with your username and password. After you type your username and password, the cyber criminals then use your username and password to send out more phishing and spam messages. 

If you click on a suspicious link and type in your username and password, please navigate to​ and reset your password.

Why do cyber criminals phish people? There could be many reasons why cyber criminals phish other people. Sometimes the phishing is coming from a criminal enterprise, but other times the activity originates overseas. This explains why sometimes you may see a phishing or spam message with grammatical errors in it. Geography, language, and social justice are important components of phishing and spam.

The goal of phishing is to get you to click on a link or respond to an email and either enter your username and password, or download and install malware designed to either hold your data hostage (ransomware) or steal your credentials. Sometimes it is impossible to tell what the goals of the phishing message could be. The IT Security Office has seen seemingly innocuous emails escalate to malicious behavior.
​​​​​​ ​​​​​​​​​​​​​​
How can I tell if an email is spam or phishing?
Incorrect Use of Punctuation and Grammatical Errors
Look for bad punctuation in phishing and spam messages. Oftentimes, the message will appear to be a little odd with strange, or oftentimes bizarre, word choices. This is a result of a cyber criminal translating the message from a different language into the English language. You can try this yourself by translating a paragraph from English to another language and then back to English. The sentence "The quick brown fox jumped over the lazy dogs" can become "The fast fox jumps over lazy dogs". 

Urgent Call to Action and Threatening Language
Cyber criminals want you to make a mistake after you open up their email. They want you to hastily click on a link or reply with sensitive information. An example of this is when cyber criminals send an email saying that your "mailbox is over its size limit" and to respond with your username and password to avoid having your email shut off. We have also seen similar scams that use both an urgent call to action and threatening language with the IRS scams that usually occur between January and April every year. A lot of times, these IRS scams start as a phone call threatening penalties, jail time, and fees unless you immediately wire money to them or give them your credit card. 

Anything That Makes You Feel Uncomfortable
​​Sometimes cyber criminals will send you an intentionally incendiary email. There could be many reasons why someone would send an email like this; to gain your attention and trust, monitor whether you respond, or just to make you upset in an attempt to get you to click on a hyperlink in another email. Sometimes malware can be obfuscated in word documents, and if you are reading an upsetting email then you may not be thinking that the goal of the sender is to get you to open a word document.

​Offers That are Too Good to be True
​Although we have all heard this phrase, it still rings true with cyber criminals. The rule for any presentation is to know your audience, and cyber criminals know their audience. The IT Security Office has seen creative phishing and spam campaigns targetting faculty, staff, and students. Sometimes all three groups will receive the same phishing/spam message. However, cyber criminals also learn from their mistakes and have learned that some targetted emails can work very well. 

​Capitalizes on Current Events
Spam and phishing that use current events are particularly effective. Cyber criminals will prey on your desire to help other people by sending you fake donation pages. Sometimes the goal is to obtain your credit card number, but other times it's to actually just take money. Make sure you do your research before donating to an organization online.​​

What phishing attacks target Faculty? Sometimes phishing and spam can be easily spotted, but sometimes it can be very difficult. Here are some phishing attacks that the IT Security Office has seen:

Phish: You are invited to present at a conference, but need to pay a nominal fee to secure your attendance.
Scam: There is no conference, and the fee is too low for law enforcement to investigate.

Phish: You receive an email to sign up for an account to access a database of research in your field.
Scam: Cyber criminals hope you reuse your password. If you reuse passwords, they are now in your email.

Phish: You receive an insulting or incendiary email that you respond to.
Scam: The cyber criminal sends you a link to refute your argument. The link installs malware on your computer.
What phishing attacks target Students​?Sometimes phishing and spam can be easily spotted, but sometimes it can be very difficult. Here are some phishing attacks that the IT Security Office has seen:

Phish: You receive an email to be a personal assistant and run errands for $250 a week.
Scam: After gaining your trust, you will be asked to deposit a fake check that you are now responsible for.

Phish: An email is sent with a subject line about a class cancellation, and a link to login for more information.
Scam: The link is to a site that harvests account credentials to be used to gain access to University resources.
What phishing attacks target Staff?Sometimes phishing and spam can be easily spotted, but sometimes it can be very difficult. Here are some phishing attacks that the IT Security Office has seen:

Phish: You receive an email from soneone's personal GMail account asking for information.
Scam: There is no personal GMail account. A cyber criminal is impersonating someone else.

Phish: A well written email informs you that your "Mailbox is over its size limit" and to "Click here"
Scam: The link will either install malware on your computer, or steals your credentials

Phish: UPS Shipping notification is sent via email.
Scam: After you click on the link you are directed to a malicious website.
Can I prot​ect myself?​Yes you can! Follow the quick steps below to protect yourself against most phishing attacks

  1. You can see a URL before clicking on it by hovering your mouse over the link. Try it here!​
  2. Don't open attachments from unknown senders.
  3. Look for spelling mistakes.
  4. Never send your password in an email.
  5. Call the sender if an email appears to be phishy.​​​
  6. If an offer is too-good-to-be-true, it usually is.

This is great, but how can we fight back?​It's great you want to fight back, but we can't fight back right away. Fighting back against cyber criminals can be slow, but over time we can help reduce the number of spam and phishing emails we receive. We can combat cyber criminals by reporting phishing and spam. By reporting phishing and spam messages in Outlook you are helping Microsoft build their telemetry data to help stop cyber criminals from phishing other people. 

Follow the link HERE to learn about ways you can fight back against cyber criminals or click the link below:​​

​​ ​​ ​​​