For Faculty Archive, For Staff Archive

Information security is everyone’s job

Last fall, Howard University made headlines as the victim of a ransomware attack that forced the cancellation of online and in-person classes. The Washington, DC, institution is not the only university to be impacted by cybercriminals. With vast repositories of sensitive and personal data from students, faculty and staff, colleges and universities are a prime target for attack.

One of the most common attack vectors for ransomware is phishing, which has been around for decades. Phishing is a social engineering technique that uses email to entice or trick unsuspecting people to click on web links or attachments that appear to be legitimate but are instead designed to compromise the recipient’s machine or trick the recipient into revealing credentials or other sensitive information. Phishing presents adversaries with a low-risk method that offers a high potential for financial gain.

Phishing is challenging to fight with technology alone. Many email security solutions still allow up to 20% of phishing emails to be delivered.  Also, anti-phishing technology usually won’t stop email from a compromised University email account because the messages are being sent from a legitimate source. As a result, stopping phishing threats requires vigilance by everyone. People must learn to recognize the signs of a phishing attempt and report these attempts to the proper security staff.

Here are five signs of a phishing attempt

  • An unexpected email that prompts you to change a password, send funds, open an attachment, or log into a website.
  • An email whose body appears to be legitimate but was sent from the wrong domain (e.g., an email that says it is from your bank but was sent from a Gmail account).
  • An email with misspelled words, bad grammar, or poor formatting.
  • An email that contains suspicious file attachments.
  • An email containing web links that are from fake or unknown web domains when the cursor is hovered over them.

To help us all recognize phishing emails, ITS will continue to simulate phishing and assign training to those most susceptible. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to).

— Chris Mielke, ITS