Phishing attacks are a form of electronic fraud that have been increasingly targeting higher education institutions over the past three years. The security firm RSA has noted that although universities and colleges used to be a low priority for phishers, they have now become "favored targets" [source].
Even when you're on alert for phishing attempts, these emails aren't always as easy to spot as you'd expect. A recent study from North Carolina State University discovered that "most people are overconfident in their ability to spot phishing attacks" [source]. That means that every email, even those that seem legitimate on first glance, should be examined carefully for anything suspicious.
The consequences of not spotting a phishing email can be serious. Phishing attacks are often designed to fool people into divulging things like Odin usernames, passwords, and credit card details. And once they've gained access to your computer or email account, the attackers could use your own email to send out phishing attacks to your contacts, in an attempt to fool more people into trusting the source of the email.
How to Catch a Phish
The good news is that the PSU community can fight back against phishing attacks with vigilance and a keen eye:
- Be suspicious of any requests for your Odin password: PSU Office of Information Technology employees will never ask you for your password. You should be suspicious of any email that asks you to provide login information.
- Look for strange URLs: If the email contains links to other pages that ask for information, hover your mouse over the link and check the bottom of your browser window to examine where the link will take you. Secure PSU login pages will have URLs that begin with "https://" (ex: "https://oam.pdx.edu" or "https://sso.pdx.edu"). If the URL looks strange to you, do not click the link.
- Don't go to unsecured pages: If you've already opened the link in the email, examine your browser's address bar. Secure PSU pages will display either a green padlock or a green bar to the left of the URL that says "Portland State University".
- Don't download attachments from unknown senders: Before downloading/opening any attachments in an email, verify that you know the sender and that the email itself does not appear suspicious in any way. If you're unsure, check with the sender directly to make sure that the attachment is legitimate.
What Should I Do?
If you receive an email that you think might be a phishing attempt, there are a few steps you should take:
- If you gave out your Odin login information (either on a fake login page or by responding to the email), be sure to change your Odin password immediately.
- Notify OIT by sending the email to firstname.lastname@example.org.
- Mark the email as phishing or spam in PSU Gmail. Reporting phishing emails will help keep you and other users safe and cut down on the number of attacks that get through PSU Gmail's anti-spam filters.
Visit www.pdx.edu/oit/security to read more about how you can spot a phishing email and see some real-life examples of recent phishing attempts at PSU. By working together and staying alert, we can keep PSU secure and shut out phishers.
Photo attribution: [infocux Technologies]