Phish Tank aims to educate users on phishing tactics
What is phishing?
Phishing is a scam designed to steal confidential information, compromise devices, or trick people out of money — typically via deceptive emails, text messages (smishing) and phone calls (vishing), posts on social networking sites, and malicious websites.
Phishers may ask for your name, account information, date of birth, Social Security number, address, or other personal information.
The University of Utah and University of Utah Health will never ask you for your username or password. If you receive an email, call, or text message requesting this information, do not respond. Report it using the Phish Alert Button or by forwarding it as an attachment to email@example.com.
Do not use your university email address to sign up for marketing emails and other personal communications. If those businesses or organizations are breached, an attacker may be able to steal your U email address and send you phishing schemes, potentially giving the attacker an entry point to other university data and devices.
As part of increased and ongoing efforts to combat phishing at the University of Utah and University of Utah Health, the U’s Information Security Office (ISO) recently launched the Phish Tank, an awareness and educational website with information on phishing tactics and known schemes.
Other efforts from the past year include the ongoing implementation of two-factor authentication for student, alumni, and affiliate uNID accounts, and a partnership with KnowBe4 on phishing and cybersecurity awareness efforts. On August 8, 2022, the ISO will launch the Phish Alert Button, which will enable users to more easily report suspicious emails.
The Phish Tank features a list of key phishing indicators, examples of common phishing schemes, and other resources to help users identify scams, including video, tips, and quizzes.
Trevor Long, associate director for the ISO’s Governance, Risk, & Compliance team, said the goal of the Phish Tank is to raise awareness around phishing tactics to help decrease the number of people falling for the scams and potentially giving away confidential information.
“Phishing is not going away anytime soon. It’s getting worse. For example, attackers are now trying to figure out how to get around two-factor authentication,” he said. “Users must be vigilant.”
To aid users, the Phish Tank will soon include a list of recent phishing messages sent to university email accounts.
“It’s a great resource. People can see what’s going on right now — what criminals are after — so they can be on guard,” Long said.
Jesse Adams is the manager for the ISO’s Security Operations Center (SOC), which handles phishing reports and incidents. He said user behavior and human error are the biggest challenges around phishing, referencing a Deloitte report that indicates that “91% of all attacks begin with a phishing email to an unsuspecting victim.”
“When users fall for phishing, give up their credentials, and don’t report it to us, an attacker can gain a foothold in the U’s network and leverage it in all sorts of ways” that put the university and users at risk, he said.
Adams hopes the website — inspired by the University of Michigan’s Phish Tank — will help users better identify and guard against phishing emails. Users, he added, should always report suspicious emails.
“The SOC reviews every phishing message that people send us. Users can expect a timely response on whether the email is legitimate and instructions on how to proceed if it’s malicious,” he said.
Report a suspicious email
If you receive a phishing attempt through a university email account, report it using the Phish Alert Button or by forwarding it as an attachment to firstname.lastname@example.org. For more information on how to report phishing, please visit this IT Knowledge Base article.
If you’re not sure whether an email is a phishing attempt, report it anyway. The SOC will analyze the email, notify you whether it is malicious, and act as needed to protect users and the university.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.