Phishing remains the most common and successful cyberattack method, accounting for a significant portion of successful data breaches.
Introduction
Phishing remains the most common and successful cyberattack method, with phishing accounting for a significant portion of successful data breaches. However, modern phishing attacks have evolved far beyond the obvious “Nigerian prince” emails of the past. Today’s phishing campaigns are sophisticated, targeted, and often indistinguishable from legitimate communications.
Understanding how to recognize and respond to these evolving threats is crucial for protecting both personal and University data.
The Evolution of Phishing
Traditional phishing was often easy to spot due to:
- Poor grammar and spelling
- Generic greetings (“Dear Customer”)
- Obvious urgency tactics
- Suspicious sender addresses
- Low-quality formatting
Modern phishing has eliminated these telltale signs:
- Perfect grammar and professional formatting
- Personalized content using publicly available information
- Sophisticated social engineering tactics
- Legitimate-looking sender addresses
- AI-generated content that mimics authentic communication styles
Types of Phishing Attacks
Email Phishing: The most common form involves fraudulent emails designed to steal credentials or install malware. University-targeted examples include:
- Fake IT security alerts requesting password updates
- Fraudulent research collaboration invitations
- False financial aid or billing notifications
- Impersonated communications from University administrators
Spear Phishing: Highly targeted attacks that use specific information about the recipient:
- Messages appearing to come from known colleagues or supervisors
- Attacks timed to coincide with academic events or deadlines
- Communications using internal terminology and processes
- Campus leadership
- Department heads and principal investigators
- Faculty with access to sensitive research data
- Staff responsible for financial systems
Smishing (SMS Phishing): Text message-based attacks have increased dramatically:
- Fake campus security alerts
- False parking violation notifications
- Fraudulent messages about account suspensions
- Emergency communications requesting immediate action
Vishing (Voice Phishing): Phone-based social engineering attacks:
- Callers impersonating IT support requesting credentials
- False emergency situations requiring immediate financial transfers
- Surveys designed to gather personal information
- AI-generated voice clones of trusted individuals
Telltale Signs of Phishing
UMB’s Warning Banner
CAUTION: This message originated from a non-UMB email system. Hover over any links before clicking and use caution opening attachments.
Urgency Without Verification
- Threats of account suspension within hours
- Emergency financial requests
- “Limited time” offers requiring immediate response
- Demands for immediate credential verification
Unusual Requests
- Requests for passwords or sensitive information via email
- Unexpected file downloads or software installations
- Unusual payment methods or financial transactions
- Requests to click links for account verification
Subtle Technical Indicators
- Slightly misspelled domain names (umayland.edu instead of umaryland.edu)
- Generic URLs that don’t match the supposed sender
- Unexpected attachments, especially executable files
- Email addresses that don’t match the sender’s claimed identity
Social Engineering Tactics
- Appeals to authority (“The Dean requires immediate action ...”)
- Fear-based messaging (“Your account will be deleted ...”)
- Curiosity exploitation (“Confidential document attached ...”)
- Reciprocity pressure (“Help us help you by providing ...”)
If You Receive a Suspicious Message
- Avoid clicking links, downloading attachments, or responding to the message
- Take screenshots of suspicious communications
- Forward the message to UMB IT Security and Compliance
- Alert colleagues who might receive similar messages
- Report the suspicious email via the Phish Alert Button. This also will remove the message from your inbox after reporting.
If You Accidentally Responded
- Act quickly; time is critical in limiting potential damage
- Update passwords for any accounts that may be compromised
- Watch for unauthorized activities or changes
- Monitor bank and credit card accounts for fraudulent activity
- Contact UMB IT Security and Compliance immediately
If You Downloaded Malware
- Unplug network connections to prevent data theft
- Avoid accessing sensitive information until the device is cleaned
- Contact the Help Desk, report the incident, and request malware removal
Creating a Security-Conscious Culture
Every member of our University community plays a role in cybersecurity. Your vigilance helps protect not just your own information, but also potentially sensitive data belonging to students, colleagues, and research partners.
- When you report phishing attempts, you help protect the entire University community. Cybersecurity is a team effort that requires active participation from everyone.
- Phishing tactics evolve constantly. Stay engaged with University security communications that get posted to The Elm, campus webpages, and training opportunities to maintain current knowledge of emerging threats.
- Remember, when something seems too urgent, too good to be true, or just feels “off,” trust your instincts and verify before acting. Taking a few minutes to confirm the authenticity of a request could prevent significant financial loss and protect sensitive University data.
- The goal is not to become paranoid about every communication, but rather to develop the skills and habits necessary to distinguish legitimate requests from sophisticated attempts at deception.