What is Phishing?
A ‘phish’ is an email or communication designed to look like a legitimate email that instead carries malicious code or a virus, or that redirects you to a website that automatically infects your system with spyware or malware. Here at UC Merced, we want to make sure we arm you with the latest information regarding phishing scams to help you stay safe online.
How to Protect Yourself From Phishing Emails
There are many different ways that you can spot a phish! Take a look at the anatomy of a phishing email below and learn how to keep yourself and the campus community safe from bad actors!
NEW: External Email Tagging
External email tagging is a new feature in Outlook that's rolled out campus-wide! When you receive an email that is coming from a domain that is not affiliated with UC Merced (@gmail.com, @bananas.com, etc.), a small tag will appear in the email letting you know that the email came from an external source.
Important: Just because an email came from an external source, does not mean that it is automatically bad. However, if an email comes from an external source and shows any signs of phishing (noted below), there is a good chance that it is a phish and should be reported.
Be Vigilant! Inspect the Display Name and Email Address!
Checking the from name and email address is a great way to spot a phish! Changing the from name is an extremely common tactic called "spoofing", so it is important that you take the time to look at the email address of the sender as well. Make sure that the email address and name combination makes sense, and also make sure to check for any spelling mistakes or additional/less characters in the email address.
Check Spelling! (Grammar is important too!)
Legitimate emails, especially those from large companies or businesses, rarely have spelling or grammatical errors. Brands and corporations simply wouldn't allow that! If you spot an email that has a multitude of spelling errors, or just sounds grammatically incorrect, double check the email address of the sender. When in doubt, as a friend or co-worker to take a look at the email too! Asking for help can help you avoid a lot of headache in the future!
Review the Greeting
Take some time to check how you are greeted in the email? Are you greeted by name, or are you greeted with an extremely generic salutation (i.e., "Dear User, Hi Valued Customer")? Legitimate businesses will often address you by name or by surname. Think about how you would write an email to a coworker, professor, or friend. You wouldn't write a generic salutation to them, so if you receive an email from someone that has a generic greeting, double-check the contents of the email. At UC Merced, emails will also often come with additional security information, such as a student id number, or a signature including the name of the department the email was sent from. Legitimate emails will usually also contain UC Merced branding.
Attachments Can be Dangerous Too!
Hackers can embed viruses or malware into attachments in an email! Upon downloading or opening them these malicious files can have the potential to steal your passwords, your private information, and even spy on you! To combat this, always verify an email is coming from a trusted source before clicking on any links or attachments. If you are ever in doubt about an emails legitimacy, double check with a friend or report the email. If you can, run any downloaded files through a virus checker, or preview the file in your web browser, without actually opening it. (Fun fact: If you try to open a file such as a pdf or image in your web browser, and it cannot be opened, there is a chance that the file is actually not what it seems as most modern browsers can handle opening basic file types).
Look, Don't Click
Hackers love to embed malicious links with fake text. A link that says "ucmerced.com" may actually link to a completely different website. To expose this fraud, stop and take time to hover your mouse over the link. Your browser will usually show you the full URL. If the URL matches the title or is linking to a trusted source than you can go ahead and click. NEVER click on a link from an unknown source, without verifying its destination first!
Beware of Urgency and Threats
Nobody should be threatening you in an email. In fact, it is against UC Merced's policies to do so. If you ever receive an email that is threatening you, immediately report it to a trusted adult or supervisor. Hackers know that sending an email that promotes fear is a way for them to get what they want. Similarly, if an email seems overly urgent, stop and take some time to review what the email is asking of you. Hackers know that if you feel pressured you are less likely to think things through and instead opt to just do whatever the email says without stopping to think. By stopping and reviewing the email carefully, you can avoid being phished. Remember, an extra few minutes is not going to be the end of the world, even if the email is from a legitimate source.
Signing Out, The Signature Line
The signature line is another great place to spot phishing attacks. Check to see if the signature of the email contains any contact information or at least a name. Most legitimate businesses will have a signature containing the name of the person as well as the company they work for. It will also contain contact information such as a phone number or a link to the company website. If there is no contact signature, make sure that the name of the person sending the email is spelled right. At UC Merced, most staff members will often include a signature with the UC Merced logo, as well as their department information, so look out for those when you receive an email.
Self-Phishing Campaign
In order to promote awareness and to assist in training our users in identifying spam, the UC Merced OIT Information Security has embarked on a self-phishing campaign. These emails are intended to look and sound exactly like the real thing, however instead of containing malicious code by links or attachments, they will lead you to a page called a “Teachable Moment” where you will have an opportunity to learn more about what phishing emails look like.
The object of this self-phishing exercise is to educate our users to NOT click on the spam link. Instead, we want users to get in the habit of forwarding suspected phish to Information Security using the link below.
Phishing Email Archive
UC Merced Information Security encourages faculty, staff, and students to exercise caution when opening emails that contain links or attachments. We want our campus community to report phishing scams and to contact us when they aren’t sure if an email is a phishing scam.
As part of our campus user education and awareness program for phishing scams, we have created an archive of known phishing attacks currently active on our campus. We hope this will help users to better identify and avoid these pesky and annoying emails! Browse the archive below to see examples of what to look out for.
Reporting Spam and Phishing
Beginning October 8, 2022, please report any suspicious messages to the Information Security Office by clicking on the "Report Message" feature at the top of your Outlook screen. Clicking Report Message and selecting "phishing" will 1) automatically alert Information Security about the suspected phish attempt and 2)move the message to your deleted items folder. Look for this feature in your Outlook client or in O365 to give this a try when you next see a suspicious message.
Alternately, spam and phishing complaints can be forwarded to infosecurity@ucmerced.edu for reporting and analysis.