No Cybersecurity Awareness Month would be complete without a discussion of phishing emails. Everyone needs to know how to spot these attacks and what to do with them once you suspect an email of being “phishy”. The task of spotting these emails has been made more difficult with the advent of generative artificial intelligence (gen AI). We’ll discuss the enduring hallmarks of a phishing email and take a look at some of the more popular phishing emails received here at Berry.
I hope everyone is progressing through the Virtual Scavenger Hunt. If you haven’t started, just click the “Start Hunting” button in the banner at the top of this page. You can work through all four weeks of the hunt immediately, but you should get started, as the final prize drawings will be held at 5:00PM on November 1st and after that, all you can get out of the hunt is fun and education, not a Sony Bluetooth speaker or a premium fidget spinner. Get going!
Graphus.ai has a fascinating deep dive into the history of phishing, from its theoretical origins, to the first widely acknowledged phishing email, to how it has evolved over the years. If you are at all interested in technology history, take a look at this article. The aim of phishing emails has always been sinister. The acknowledged “first” one ever sent out spread a virus. When the best way to “surf the Internet” was on AOL (America Online), users were targeted with phishing emails asking them to verify account and payment information so attackers could steal and use that information, along with the victim’s contacts, to attack other users and create AOL accounts with fraudulent or stolen credit cards. There’s never really been a “good” use for phishing emails.
The question becomes “how can I spot them?” and the follow up question is “what do I do with them?”. This website has a Quick Info page about spotting phishing emails and most of the red flags mentioned on that page are still true. The first two red flags are less useful these days, as gen AI can create phishing emails that have flawless grammar and spelling. Don’t depend on these red flags. The most useful red flag is the fourth one – the email claims to be urgent. Urgency is the number one tool that attackers will use to convince you the ridiculous email you are reading is real. Whether the phishing bait is a carrot or a stick, the attacker wants to create urgency. They will threaten everything from fines and fees to loss of access to accounts, and promise free money or pianos or limited opportunities, but there is ALWAYS a looming deadline.
You’re now suspicious of an email you received, based on the red flags on the Quick Info page, or some other reason. What do you do? If you are using Outlook on a desktop or laptop issued by the college, or on the web mail interface at https://mail.berry.edu you can simply use the “Report Message” or “Report” button in the menu bar to let us know about the email. On mobile devices, the “Report Message” option is under the “three dots” menu. If you get your Berry email in some other fashion, you can report phishing emails by starting a new message to “phishreport@berry.edu”, attaching the offending email to it and sending it to us. If you simply forward the email, we can’t use it to help fend off or remove other phishing attempts.
What phishing emails are more common in our environment? Lately, we have seen many phishing emails offering free pianos or free welding equipment. Others are more sneaky and try to impersonate a staff or faculty member to get you to purchase gift cards for a “surprise” event. The most insidious emails are ones that purport to share a document with you having an important sounding name like “budget report” or “employee compensation”. These come from reputable file sharing/cloud storage providers, but are still very “phishy”. In any case, if you suspect an email is phishing, go ahead a report it. If it turns out to be good, we can return it to you.
If you haven’t received an email inviting you to complete the semi-annual Cybersecurity Awareness Training, please check your Junk folder. As of the writing of this article, those invitations should be going out.
Thank you to everyone who is participating in the Virtual Scavenger Hunt. Again, if you haven’t started, you should do so now.
I hope these Cybersecurity Awareness Month articles have been useful to you.
October News from Information Security
CAM Week 3 – Phishing and Healthcare Devices
NCSAM Week 1 – Social Media, Passwords, Cyber Hygiene