Prevent Phishing Attacks

The number of ransomware attacks grew by over 400% in 2020 and many of those attacks began with social engineering—ranging from simple to sophisticated.  Social engineering involves the use of deceptive communication aimed at convincing the victim to do something the attacker wants them to do. Social engineering attacks commonly focus on generating a sense of urgency in a message that appears to come from a trusted contact. Ransomware has become a standard payload for attackers in the United States and it has been profitable.

Common Phishing Attacks

  • Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources. When someone you don't know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency. One common social-engineering scam is the gift-card scam. The attacker poses as an executive. The "executive" will email the victim, ask if the victim is in the office, and begin a brief email exchange with the victim. The executive will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so. The executive will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the executive, the victim goes through with the purchase, spending hundreds or thousands of dollars. How do you avoid becoming a victim of these types of attacks? Ask yourself if the request makes sense. Check the email address of the sender. Does the sender's email address include an extension that you would expect, such as a .edu account? Whenever you receive an "urgent" email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate. If something seems off to you, it probably is.
  • Phishing attacks are a type of social engineering delivered via email. Most commonly, a phishing email uses a sense of urgency to direct the victim to visit a website designed to steal the victim's account credentials. Some phishing attacks are straightforward, for example, "Update your password now!!!!" and can easily be detected because they typically are not written well (poor grammar and word choice). However, some attacks are sophisticated, look like they come from a trusted contact, are well written, and lead to a site that closely resembles the spoofed website. If you receive a communication that asks you to give your account credentials or personal information (for example, your social security number, birth date, or credit card number), DO NOT click the email link. Instead, go directly to the expected website and verify that the communication came from that organization. Always check with Information Services before following links that require you to enter your username and password. By following these simple precautions and working with Information Services, we can limit the success of phishing attacks.
  • Ransomware is scary. Such an attack could make it impossible for you to retrieve documents on your computer. So, how do you protect yourself from ransomware? One of the best ways to protect yourself is to create a good backup of your critical data. These backups should be available offline, for example, on a removable hard drive or tape. Having multiple backups that are stored in more than one location is best! For your work files, be sure to follow guidelines from Information Services. Ransomware is often delivered via a fraudulent email with an attachment or link that, when clicked, installs a program that locks your files. Never open an attachment that you are not expecting without verifying with the source in another way (for example, via phone or text message) that the attachment is valid. When you are unsure, follow guidance from Information Services regarding how to handle questionable emails. Using these common-sense practices can help you avoid the pain of a successful ransomware attack.

The following video provides tips to avoid social engineering scams:



The following video provides tips to avoid ransomware attacks:

What can I do?

Disappoint an attacker. Leave that urgent email alone. Learn more Cybersecurity and Infrastructure Security Agency (CISA) Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks.

The FTC encourages everyone to file a complaint whenever they have been the victim of scams, identity theft, or other unfair or deceptive business practices. Complaints can submitted to the FTC at http://ftc.gov/complaint.

If you receive a phishing scam on your University of Richmond’s email account or you're not sure it's legitimate, please forward it to spam@richmond.edu.