Fall brings a resurgence of email phishing attacks on campus

With the University of Oregon's fall term starting in the midst of the COVID-19 pandemic, the UO Information Security Office warns the campus community to be especially vigilant for phishing emails.

A phishing email attempts to trick the recipient into giving sensitive information such as usernames and passwords to cybercriminals, who then use that information to steal money, identities or intellectual property or to gain unauthorized access to UO systems and data.

UO students, faculty members and staff often receive phishing messages with links that claim to lead to official UO websites but actually take visitors to insidious imitation sites. When you enter your username and password on one of those fake sites, the attackers have successfully phished you.

According to Chief Information Security Officer Leo Howell, universities across the country typically to see a surge of such messages around the start of fall term — beginning in August, when the fall semester starts at many schools — and during breaks and at other times in the academic year when people's normal routines may be disrupted. A fall 2018 phishing attack was one such example.

Another example arrived in the inboxes of several hundred UO students and employees on Wednesday, Sept. 30. As described in an evening email message from Howell to students, staff and faculty members, that message mimicked the official "COVID-19 Update" messages that the university has been sending regularly to the campus community since mid-March.

"Unfortunately, this is another pattern we see in cyberattacks," Howell said. "Cybercriminals take advantage of crises, preying on our fears to try to get us to make a mistake."

Scams related to COVID-19 may entice recipients to donate to fraudulent charities, purchase medical tests or supplies that don't exist, click on malicious email attachments or simply divulge passwords.

Since 2019, Information Services has implemented several new cybersecurity measures that have reduced the likelihood of UO students and employees falling victim to phishing attacks. For example, a URL link protection service that the UO started using in August 2019 blocks access to many malicious websites even when someone clicks on a phishing link.

The UO Phish Tank website, launched in October 2019, provides a resource for distinguishing legitimate messages from malicious ones. It displays messages that have been reported to the Information Security Office.

"We're always looking for more ways to protect you and the university, but none of these systems is perfect," Howell said. "So you still need to be alert and cautious."

When phishing messages do get through, the Information Security Office may sometimes systematically remove those messages from UO email accounts to reduce the likelihood of harm to individuals and the university.

In addition, to protect phishing victims, the office will temporarily disable the account of anyone who has clicked a malicious link and potentially entered their credentials. To restore account access, users should contact the Information Services Technology Service Desk by phone at 541-346-HELP or by live chat.

Howell offers the following tips for staying safe from phishing messages:

  • Beware of attachments. Email is the most common vector for malicious software. Delete any message with an attachment, unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, health authorities, retailers and a range of other service providers.
  • Check the sender's email address. Any correspondence from official UO sources will likely come from an organizational email address, such as @uoregon.edu. For example, a message from the UO Technology Service Desk will not come from YourIThelpdesk@yahoo.com.
  • Don't click links in suspicious messages. If you don't trust the email or text message, don't trust the links in it either.

"Not all suspicious messages are phishing, but we want people to stop and think before they click," said Howell. "We know this is a hectic time, but give yourself a moment to evaluate."

Anyone who has responded to suspicious email messages should contact phishing@uoregon.edu immediately.

People who have clicked through such an email and entered their Duck ID and password into a fake site should go to Duck ID Self-Service to change their password and revise security questions and answers. Anyone who has entered their UO ID number, which starts with 95, and corresponding password, or PAC, on a fake DuckWeb site should go to DuckWeb, change their PAC and verify that no important information has been changed.

Information Services offers more tips to help determine if a suspicious email is malicious in the UO Service Portal.

When in doubt about a message, people can contact the Technology Service Desk or their local IT support desk or forward suspicious emails to phishing@uoregon.edu.

—By Nancy Novitski, University Communications