September 18, 2017
Criminals don’t take time off between quarters. Fraud doesn’t stop. Several of your fellow students have fallen victim to phishing attacks that have cost them money and embarrassment. There are multiple phishing campaigns on right now. Don't become another victim.
Phishing is when a criminal sends you an email message asking you to provide information, click a link, or open an attachment. Usually the message holds some promise of money or threat of having your account cut off if you don’t act quickly. Messages like these are almost always fraudulent.
To help protect yourself from these kinds of attacks, follow these campus-specific and general guidelines involving your UMAIL account.
- Phishing messages will often appear to come from reliable sources including other UMail accounts. That makes it more likely that users will click on the link or open an attachment. It is easy to forge return addresses and make messages appear legitimate. Be skeptical of messages that ask you to take action urgently and promising negative consequences for failure to act in a timely manner.
- Many email programs will display the actual URL if you hover over a link. Read the URL carefully. Many phishing sites look legitimate even though they are not. For example, using a link that directs to UCSB.org instead of UCSB.edu.
- Do not open attachments in email messages unless you are expecting them. Remember, it is easy to forge a return address. Just because a message comes from your friend does not mean that it’s friendly. If you have any doubt whatsoever, ask the sender before opening the attachment.
- Students in particular get offers of “employment” as personal assistants. These jobs come with no interview and usually ask students to deposit a check and send money out, usually in the form of gift cards. Don’t give anyone your bank account number. Don’t print checks. Don't take pictures of gift cards and send them to criminals. Many of these scams are very elaborate. Don’t fall for it!
Phishing is a metaphor. Criminals are dangling bait hoping that you will take a bite and get hooked. Be cautious and suspicious of anything that doesn't seem right, because it probably isn’t. Don't click on that link or open that attachment. Don’t give out your personal information including your password. You may regret it.
Sam Horowitz, CISSP, CISM
Chief Information Security Officer
University of California Santa Barbara