This August, the University of Oregon community experienced a perilous seasonal phenomenon almost as familiar as sunshine and high temperatures: a flood of phishing emails.
Phishing scams attempt to trick the recipient into sharing sensitive information or establishing a relationship with a cybercriminal, who then proceeds to steal money, identities or intellectual property or gain unauthorized access to UO systems and data.
The phishing lures that proliferated most at the UO this August shared a similar approach. Both used tantalizing offers to entice UO community members to communicate via non-UO systems.
“If something seems too good to be true, it probably is,” said José Domínguez, interim chief information security officer. “Don’t take their bait.”
Cybercriminals target universities at the start of terms and over breaks, when people’s routines are disrupted. The fall surge of phishing emails typically starts in August, when semester schools start.
The latest phishing campaigns
In August, the Information Security Office saw two phishing scams proliferate.
One purported to offer several valuable musical instruments for free except for shipping costs. Another claimed to offer a personal assistant job paying more than $100 per hour.
Both campaigns were designed to move conversations off UO systems, beyond the scope of UO security measures. The first campaign asked people to send a text message to a phone number. The second asked the prospective job applicant to provide personal information through a form in Google Forms.
That exemplifies a trend the Information Security Office has observed in recent years. As the UO has increased the security of its own systems, cybercriminals seek to lure UO students, staff and faculty members into personal email, text and chat conversations, where UO systems can’t track malicious activity, as mentioned in 2021 and 2022.
However, the overall framework of the recent scams follows much older patterns of offering outsized rewards for little effort. Such scams can result in actual financial losses for individuals at the UO and elsewhere.
“We understand the temptation. Who doesn’t want to get something for almost nothing?” Domínguez said. “However, that temptation should raise a red flag for you. The only person who will come out ahead is the scammer.”
To distribute such malicious emails, the attackers often use a small handful of UO accounts that have already been compromised. The Information Security Office strives to identify such compromises quickly to deter further attacks and abuse.
To that end, Domínguez strongly encouraged all members of the UO community to report suspicious emails through the Report Phish button in Outlook or by forwarding them to firstname.lastname@example.org.
“Your reports help our team move faster to protect you and the rest of the university,” he said.
Domínguez also encouraged people to learn more about how to protect themselves from phishing attacks.
“We can stop or subvert about 99.6 percent of malicious email messages,” he said. “We are asking for your help with the 0.4 percent of messages that are not immediately detected.”
How to protect yourself
When in doubt about a message, UO community members can:
The Information Security Office offers the following tips for staying safe from phishing messages:
- Beware of tantalizing offers. If it seems too good to be true, it probably is.
- Don’t click links in suspicious messages.
- Don’t share confidential information, yours or the university’s.
- Beware of attachments. To avoid malicious software, or malware, delete any message with an attachment unless you’re expecting it and are absolutely certain it’s legitimate.
- Be wary of suspicious emails from UO accounts. Cybercriminals often distribute phishing messages from accounts they’ve compromised.
- Confirm identities. Cybercriminals often impersonate schools, financial institutions, health authorities, retailers and a range of other service providers by using official-looking logos and similar email addresses and URLs.
- Deny unexpected Duo requests. If you receive a Duo verification request when you’re not logging into a Duo-protected UO service, tap “Deny” in the Duo Mobile app or 9 on a Duo phone call. Then confirm the login was suspicious to alert UO staff.
- Keep your computer and other devices up to date. Those software and system updates often fix security gaps.
Information Services offers more tips to help determine if a suspicious email is malicious, as does the Federal Trade Commission.
All UO employees, including graduate employees and student employees, also can take the UO Cybersecurity Basics training to learn more about protecting accounts and devices.
If you’ve responded to phishing
Anyone who has responded to a suspicious email should immediately contact email@example.com and then consider the following next steps, depending on the situation:
- Entered Duck ID and password on a fake website? Go to Duck ID Account Management, change your password and revise security questions and answers.
- Entered UO ID number, also known as a 95 number, and corresponding password, or PAC, on a fake DuckWeb site? Go to DuckWeb, change the PAC and verify that no important information has been changed.
- Believe you’re the victim of an online crime, such as identity theft? Report it to UOPD at 541-346-2919 or online, no matter how minor it may seem. Identity theft happens when someone steals your personal information, such as your Social Security number, and uses it to obtain credit cards or loans or commit another form of fraud in your name.
To protect phishing victims, the Information Security Office will temporarily disable the account of anyone who has clicked a malicious link and potentially entered their credentials. To restore account access, users should contact the Technology Service Desk by phone at 541-346-4357 or by live chat.
—By Nancy Novitski, University Communications