Eventually, a phishing email will show up in your inbox. It happens to everyone.
An email claims to be from your bank, the IRS, or the ECU IT Department or Help Desk. You may be asked to log in or provide your personal information. The message looks legitimate, but it’s really a trick to obtain your login credentials and steal confidential data, or fool you into downloading harmful attachments.
More than 90% of data breaches start with a phishing attack. Don’t take the bait! Besides typical phishing emails that cast a wide net to a large number of individuals, without targeting a particular victim, you should also be aware of more elaborate phishing attacks such as spear phishing and ransomware.
Spear Phishing
Spear phishing is a targeted attack, often directed at a specific individual or department that appears to be from a trusted source. Criminals may use social engineering tricks such as pretexting, which involves creating a false narrative to gain trust and influence behavior. They may use psychological manipulation and pressure tactics, such as impersonating a supervisor or high level official while making time-sensitive demands. For example, a major data breach that impacted all employees at Tidewater Community College happened when an employee in the finance department responded to a data request from an attacker impersonating a college official.
Ransomware
Ransomware is a type of computer virus that infects systems and prevents access to critical files and data until you pay a ransom. An increasing number of phishing emails involve ransomware attacks. The City of Greenville, NC, was the victim of a cyber attack involving ransomware that brought down systems for an extended length of time, with the attackers demanding ransom while holding data hostage. Higher education institutions are main targets for ransomware attacks. University College London was the victim of a ransomware attack that originated with phishing emails and encrypted network storage, leaving students and staff locked out of their files.
Prevent - Think Before You Click
React
If you receive a suspected phishing email, here's what to do:
- DELETE any email that asks for your personal information.
- Mouse over any links to check the URL. Don't click a link in an email without checking it first!
- Official ITCS email communications always match the display name and email address. Examples:
- The ITCS Notification email address is always "ITCSNOTIFICATIONS@ECU.EDU."
- Phishing emails mask the true address. Mouse over "IT HELPDESK," and the address is something like, "joesmith@someotherdomain.com."
- If you do provide account information to a malicious site, CHANGE YOUR PASSPHRASE IMMEDIATELY at the Passphrase Maintenance website.
- Call Pirate Techs support at 252-328-9866 | 800-340-7081 about any possible phishing email or other scam message.
Report
Reporting a phishing or spam email helps ECU better protect all users. To report a suspected phishing email, please forward the message to phish@ecu.edu or submit a security concern to ITCS. To learn more about phishing, visit the Federal Trade Commission.