- Information Technology Services
- Security Best Practices
- Phishing and Other Social Engineering Scams
Phishing and Other Social Engineering Scams
The Internet is wild and untamed. While there are many useful and productive reasons to be surfing, there will always be nefarious groups attempting to steal your private information one way or another. One common technique these groups use is phishing, also called webpage spoofing. Phishing is a form of social engineering attack, where internet thieves attempt to manipulate you into performing certain actions or divulging your confidential information. Phishing attempts to get you to give up your confidential information by pretending to be a legitimate website or e-mail. The e-mails or web pages may look very convincing at first glance; many people don’t notice any difference from genuine content, which is why it is used so frequently. Once the user turns over their sensitive information (such as login credentials or credit card numbers), they will begin almost immediately to find ways to profit from this information. They may attempt to log into your campus account and access your student or finacial information or they may try to access your online bank accounts, which can harm you, the University, or both. Technology can help reduce the risks from phishing, but there is much you must do to stay as protected as possible. Let’s examine some key things to be looking out for to avoid being a victim of a phising attack.
Fake UIS Site Example
Below are sample screenshots from a recent fake site claiming to be the UIS Blackboard site. Fake Blackboard Site From first glance, this site appears very much like the real, valid UIS Blackboard site. However, there are some key elements missing from this site. Let’s take a closer look.Fake site viewed from Internet Explorer 9 IE9 Example
There are several warning signs shown here to be looking out for including:
- The location starts with http:// not https://
- The location site (the part of the location URL in bold) is not “uis.edu”
- There is no security lock displayed
In Firefox, in addition to the warning indicators listed above, when you click on the icon to the left of the location, it also displays the following important information:
- The web site’s identity cannot be verified
- The connection to the web site is not encrypted
Valid UIS Site
Now let’s compare the screenshots from the valid UIS Blackboad Learning site.Real site viewed from Internet Explorer 9 Valid IE9 Example
Again, there are several key things to be looking for including:
- The location starts with https://
- The location site (the part of the location URL in bold) is “uis.edu”
- The security lock is displayed
In Firefox, when you click on the icon to the left of the location, it also displays the following important information:
- The web site’s identity is verified to be uis.edu
- The connection to the web site is encrypted
Tips for Safe Surfing
By following the tips that follow, you can dramatically reduce the risk that your confidential information will be used againt you or the University via phishing attacks such as the one shown above.
- When going to a site that request login credentials or other sensitive data, type in the URL manually rather than clicking on links from e-mails, search engine search results, or other untrusted sources.
- When you arrive at the site, before entering any sensitive information, take a moment and verify that the security markers you expect are present:
- Does the URL start with https://? If the URL does not start with https:// (the ‘s’ is the most important piece), there is a stronger chance that any information you provide could be stolen.
- Get in the habit of looking at the address line. Were you directed to “https://bb.uis.edu”? Does the address line display something different like “http://www.gotyouscammed.com/bb.uis.edu?” Be aware of where you are going.
- Does the site provide identity information? Legitimate sites will be able to offer proof that they are legitimate. Use the browser’s security features to verify that the site has been shown to be legitimate.
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender.
- If you think you may have provided login credentials to a fake site, CHANGE YOUR LOGIN PASSWORD IMMEDIATELY! Do not wait till later as thieves can quickly begin using your credential to access more of your sensitive information.
For more ideas on protecting yourself agains scams and fraud while online, see the Anti-Phishing Working Group website. If you need additional assistance related to a phishing or other social engineering attack, please contact the UIS Technology Support Center at (217) 206-6000 or e-mail them at firstname.lastname@example.org.