Don’t take the bait!

We’ve all gotten them: the emails alerting us that our account has been locked or suspended, or a refund is waiting for us, or our billing information is available, or a package is scheduled for delivery or pictures are ready for viewing.

While we don’t remember anything that would lock or suspend our account — and we sure don’t remember ordering anything recently — we also know we sometimes forget things. And the email looks official.

So it’s tempting to click: tempting to open that email message, tempting to follow that link.

Don’t take the bait.

Phishing is a scheme designed to lure you into providing personal information. One hacker site describes it this way, “Phishing is a way to collect account info from various users. It is great for scamming and hacking others.”

Those “others” are you and me. The emails and web sites created by people behind the phishing often look real; they’re carefully designed to fool you.

Phishing season

Fall is prime phishing season, and educational institutions are popular phishing holes. The chart below shows the percentage of all emails that have been phishing schemes and how phishing efforts have increased over the past few months.

To alert the University to recent widespread phishing efforts, Computing Services and Systems Development (CSSD) has posted alerts on my.pitt.edu, on technology.pitt.edu and through text messages to users subscribed to CSSD Alerts.

How to recognize phishing

The University’s spam and virus filtering service blocks millions (yep — millions!) of spam messages per month, but some phishing attempts get through because they look legitimate.

How can you recognize a phishing attempt?

• Be particularly suspicious of unexpected email from three types of organizations: e-commerce (Paypal, Amazon, eBay, etc.); banks; information technology (your personal ISP or someone masquerading as a “Pitt account admin”).

• Be skeptical when emails contain dire warnings or urgent requests such as “Your account will be suspended in 24 hours if you do not provide this information.”

• Be immediately on alert if the email message asks you for personal information: Social Security number, password, account numbers. Legitimate organizations will not ask you to transmit personal information of that sort by email. CSSD, for example, will never ask you for your password: not by email, not by phone.

• Be wary of anything that looks good but on closer inspection seems a little “off.” Fly fishermen spend years learning how to tie flies that look so much like native insects that trout are tempted to bite. Email phishers try the same trick: the email or web site will look real at first glance, but a closer look typically reveals spelling and punctuation errors.

• Also be wary of suspicious URLs in links: Hover your mouse over the hyperlink (see sample hover below) in the message and avoid clicking if the URL or web address revealed does not match the address in the message itself. Also avoid clicking if all of the hyperlinks in the message take you to the same address.

• Be cautious even if a site looks secure. Some phishers now can forge a secure web site, including the https:// that people are trained to look for.

How can you fight back?

While Pitt works hard to provide as much protection as possible against cyber security threats, the person who can do the most to reduce risk is you.

• Protect yourself by being reasonably suspicious of email you receive from an unknown source and of email from real organizations that would not conduct important or personal business via email message. Not sure? Call the technology help desk at 412/624-HELP [4357]. Someone will be there every single hour of every single day to help you determine whether the email is legit or phishy.

• Be proactive:

— Subscribe to CSSD Alerts through Pitt’s Notify U service, which allows you to get short alerts by email or text. Go to your Profile page on my.pitt.edu and follow the link to Pitt Text Message Updates.

— Log into your online accounts regularly so you are familiar with those web addresses and can watch out for any odd activity.

— Make sure your computer’s software is up to date and that security patches are applied regularly.

— Windows users:  Make sure you’ve installed the Pitt Software Update Service, available through the Secure Your Data resource in my.pitt.edu. This service helps protect your Windows computer by automatically downloading and installing the latest security updates for Microsoft Windows, Microsoft Office and Microsoft servers. Updates are retrieved locally from the University’s network, so critical security updates are installed on your computer quickly and reliably.

— Mac users: Enable your automatic software updates through Systems Preferences.

— Install Symantec’s Endpoint Protection software on your computer to detect any malware that slips through to your machine. Symantec is free for all Pitt faculty and staff: Download it from the Software Download Service link on my.pitt.edu.

• If — and when — you do get a phishing message, delete it.

Brian Pasquini is a senior security analyst for Computing Services and Systems Development.