Phishing attacks have been on the rise on campus. To avoid becoming a victim of a phishing attack and inadvertently sharing your password (or money) with a cyber-criminal, it's important to learn how to recognize a phishing scam. In this article we will review how to identify phishing scams, avoiding "multi-factor fatigue," and what to do if you believe you are the victim of a phishing attack.
How to identify phishing scams
Microsoft defines "Phishing" as: "an attack that attempts to steal your money, or your identity, by getting you to reveal personal information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate." Check out Microsoft's Protect yourself from phishing article for more information.
Phishing messages are pretty easy to spot once you know what to look for. These warning signs should raise suspicion:
- Bad spelling, bad grammar, all CAPS Phishing emails are often riddled with misspelled words, poor grammar and text in all CAPS.
- Urgent requests or threats Phishing emails often make threats if an action isn't taken immediately (e.g. "This needs your immediate attention to avoid the termination of your EDU account").
- Suspicious links or attachments Avoid clicking on links or downloading attachments unless you are certain of their authenticity. Before clicking a link, examine the actual URL by hovering over the link with your mouse. If viewing the email on an Android phone, long-press the link to get a properties page that will reveal the true destination of the link. On iPhones, do what Apple calls a "Light, long-press".
- Promises of money Be suspicious of any email that promises money or offers a job that sounds too good to be true.
- Emails from people you don't know Just because an email comes from a Buffalo State email address doesn't mean the message is legitimate. Most of the recent phishing attacks on campus were sent from a student who had their account compromised.
The examples below show two different types of phishing scams some Buffalo State users received recently. If receive a suspicious email but aren’t sure if it's authentic or not, forward it to the IT Help Desk at ithelpdesk@buffalostate.edu for examination before responding.
Example 1: Phishing scam promising $1000 weekly pay
This is an example of a recent phishing scam promising "$1000 Weekly Pay" to unsuspecting applicants. Notice the urgency of the request ("QUICK EDU ALERT!") and the use of all caps.
Example 2: Phishing scam designed to steal your password
This is another recent phishing scam. The goal of this phish is to steal the unsuspecting recipient's password by getting them to follow the link and submit their information on a form. Notice the urgency of the request ("URGENT EDU NOTICE!") and the threat being made ("AVOID THE TERMINATION OF YOUR EDU ACCOUNT!").
Avoid "Multi-Factor Fatigue"
While having to do the two-step verification every time you sign-in can get annoying, remember that Multi-Factor Authentication (MFA) is there to protect you from bad actors who are trying to steal your information (e.g. passwords). This is why you must be careful not to get into the habit of blindly approving every multi-factor prompt that you receive. If you receive a text, call, or other authentication alert 'out of the blue' for a sign-in that you didn't initiate, DON'T "approve" the request! This is likely a bad actor trying to gain access to your account, and blindly approving the MFA request will 'let them in.'
Signs you may have been hacked
You may have inadvertently fallen for a phishing attack if any of these things start happening:
- Your sign-ins stop working: If you suddenly can't sign-in to things like email or Brightspace, this is a sign that your account was hacked. Either the hacker changed your password or the IT department temporarily suspended your account (to prevent further access by the bad actor).
- Strange bounce back messages: If a hacker gains access to your account, they may start blasting spam out from your email address. If they do, you'll likely start getting some bounce back messages for emails that you didn't send (e.g. "undeliverable" messages).
- You can't send email: Buffalo State email is hosted by Microsoft, and Microsoft may block outgoing email if it detects a spam blast coming from your account.
What to do if you got hacked
If you believe you are the victim of a phishing attack, here's what to do:
- Change your password immediately! Faculty, staff and students who have Multi-Factor Authentication set up for their network sign-ins can change their password using the self-service reset tool. Students can also reset their network password from Banner.
- Call the IT Help Desk: If you have trouble changing your password, the IT department likely disabled your account temporarily to prevent the hacker from continuing to access the account. To have your account re-enabled, you will need to contact the IT Help Desk at 716-878-4357.
- Review your multi-factor verification settings: If a cyber-criminal gains access to your account, they could potentially change your multi-factor authentication options (e.g. adding a phone number that they have access to). After changing your password, you'll also want to sign-in to the My Security Info page to review your verification options.
- Report the phishing scam to the IT Help Desk: If you still have the phishing email that led to your account getting compromised, you can forward it to the IT Help Desk at ithelpdesk@buffalostate.edu.