Spring 2024

Hook, Line, and Sinker: Don’t Get Reeled in by Phishing Scams!

Peta-Gaye Taylor

We have all been victims of phishing attacks. People on the internet trying to get our sensitive information, offering to give us the world, but first please insert your bank details or click on these suspicious links. This is Phishing and something we all need to know and be aware of.

What is Phishing?

Phishing is a form of digital deception that aims to get people to reveal their sensitive information. This information can be used to manipulate, profit from and hurt victims. The International Business Machines Corporation (IBM) states that phishing attacks may come in the form of fraudulent emails, text messages, phone calls or websites. These are designed so users can download malware, share sensitive information, or expose themselves or their organizations to cybercrime. Phishing is extremely dangerous and can lead to identity theft, data breaches and financial loss.

There are different types of phishing attacks:

  1. Email Phishing is a cybercrime where the attacker sends a fraudulent email that appears to be legit. This email will have links and requests that can lead to data breaches.

  2. Spear phishing is a specific type of Phishing where the attacker targets a specific individual in a large group. For example, an attacker targeting an undergraduate student at the University of Waterloo via email, requesting them to engage with suspicious links.

  3. Pop-up Phishing normally occurs when individuals subscribe to notifications from a website. The User will then get notifications alerting them of false claims like “your laptop is being hacked” or “MacBook failure.” These are attention grabbers that aim to trick you into interacting with whatever links, that may download malware to your device. 

  4. Whaling / CEO Fraud This is a type of spear phishing where the attacker impersonates your CEO or the CEO of another company. This fraudulent email may aim to convince you to purchase gift cards or transfer money to the attacker’s bank.

  5. Social Media phishing This type of attack appears on social media sites like Instagram, LinkedIn, Facebook, Snapchat. The main objective of this type of phishing is gain control of your social media accounts or to get persona data from you and your followers/friends on these platforms.

How to recognize and avoid Phishing

Fortunately, there are some signs to alert that correspondence is a phishing attempt:

  1. Bad Grammar should immediately alert you that the message you have received is not from a legitimate source. Misspelt words, run-on sentences and misused homonyms and homophones are frequently seen in phishing attacks.
  2. Deals and opportunities that seem too good to be true should set alarms off. Offers from a company reaching out to you to offer a position that allows you to “work 2 hours a week to get $700” may not be a company at all.
  3. Urgency. if the message encourages immediate action or has an unreasonable sense of urgency, it might be best to ignore it altogether. Phishing emails are notorious for offering “limited deals” and offers that will expire in a “few minutes”. Reputable organizations usually give a reasonable amount of time for a response.
  4. Misrepresentation when the message you are receiving comes from an unusual sender. Getting emails about University of Waterloo business from accounts that are not from @uwaterloo.ca should get your spidey senses tingling. Though not all, most organizations have their own unique email domain. However, don’t get too comfortable! Phishing attacks can come from “friendly emails” and emails with a reputable domain. Several social engineering techniques can make email addresses seem “legit” like spoofing.

All these features may not be present in a phishing attack, however, seeing even one of these features should get you suspicious enough to investigate further, not interact or report it.    

Suspect you are a victim of a Phishing Attack?

If you suspect you are the victim of phishing, there are some things you can do to investigate:

  • How is the grammar?
  • What is the email address?
  • Is there a profile picture?
  • Is it urging you to click any links or reveal any information?

Ask yourself these questions and act accordingly. If you still are not sure, hover over any URLs mentioned and see what the actual link is and where it will take you. You can also contact the source (your university, your bank or your manager) directly and see if the request is legitimate.

If you think you are a victim of a phishing attack. DO NOT ENGAGE, Forward email to soc@uwaterloo.ca. You can also contact the Arts Computing Office (ACO) or the Information Systems & Technology at the University of Waterloo (IST) for more information.

Phishing is extremely dangerous and can have catastrophic, devastating, and annoying effects. Be vigilant, be safe and be smart. 

References

  1. https://health.ucdavis.edu/cybersecurity/learning-center/spot-phishing-messages#:~:text=%22Phishing%22%20emails%20appear%20to%20be,to%20share%20valuable%20personal%20information.%22
  2. https://www.ibm.com/topics/phishing
  3. https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
  4. https://phishing.org
  5. https://www.fortinet.com/resources/cyberglossary/types-of-phishing-attacks
  6. https://www.getcybersafe.gc.ca/en/blogs/what-whaling
  7. https://www.barracuda.com/support/glossary/ceo-Fraud#:~:text=CEO%20Fraud%20is%20a%20type,to%20reveal%20other%20sensitive%20information