The Internet Crime Complaint Center (IC3) has issued a nationwide warning regarding phishing attacks on human resource systems, in which phishers reroute employees’ direct deposits. This cautioning comes on the heels of a series of attacks, including the Sony security breach and a number of on-campus accounts being compromised in November. With this heightened awareness to online security, Vanderbilt IT has compiled the following information about phishing.
The simplest way to protect yourself from a phishing attack is by securing your passwords and other personal information. Many times, though, emails and websites appear to be legitimate, and we end up handing over the keys to our accounts ourselves. Review the below information to learn about what a phish looks like, common techniques used by attackers after an account is compromised, and best practices to protect yourself from becoming a victim of phishing.
A phish is made to look like an official email, be it from a friend, a business or even an organization. The email can come from a phony email address that may only be one or two characters different from the real account, or it can come from a real account that has already been compromised.
Among the many entities from which a phish pretends to originate, a phish can be made to look like an official VUIT email. In this case, the attacker’s goal will likely be to steal your VUnetID and ePassword. The message might state that your email box is full and that credentials need to be submitted to increase quota size before directing you to a webpage that will be made to look like a popular site, such as Amazon or iTunes, hosted on an external domain. Regardless of the type of phish, it will nearly always link to a site outside of Vanderbilt and ask for credentials to be submitted to the site.
Once attackers possess your credentials and your account is compromised, phishers can hide their activities through redirecting, deleting or forwarding emails that may catch your attention. In other words, you will not see any change to your account and will not know that there is someone else accessing your information. Even more damaging, they could use your VUnetID and ePassword to use applications, such as C2HR, and change your bank routing information (as IC3 has warned about this week).
If there is ever a question about the legitimacy of an email, please contact the VUIT Help Desk, your local support person or Security Operations in order to verify legitimacy.
Remember:
- Never give your ePassword to anyone.
- Never click on links in emails unless you verify that the sender is who he or she claims to be and acknowledges sending the email.
For additional general information about phishing and how to protect yourself, please contact VUIT Security Operations at vuit.security.operations@vanderbilt.edu.