We are InfoSec: Members of the Information Security team at KAUST IT
Our Mission: To enable you to be a Human Firewall by shielding yourself, your family and KAUST from today’s cyber attacks
You can power up your shield against the most common dangers of using email, including attacks known as phishing. Phishing is when a cyber attacker uses email or a messaging service (like those on social media sites) to trick or fool you into taking an action, such as clicking on a link, sending sensitive data, or opening an infected email attachment. By falling victim to such an attack, you risk having highly sensitive information stolen and/or your computer infected.
Attackers work hard to make their phishing emails convincing. For example, their email may look like it came from someone or something you know, such as a friend or a trusted company. They may add logos of your bank or forge the email address so the message appears more legitimate. The attackers then send these phishing emails to millions of people. Phishing is similar to using a net to catch fish; attackers do not know what they will catch, but the bigger the net, the more fish they will find.
Protect yourself and our organization by being alert to these signs of a phishing attack:
- Messages directed to “Dear Customer” or some other generic greeting.
- Messages requiring immediate action or creating a sense of urgency, such as threatening to close down your account.
- Messages claiming to be from an official organization, but having grammar or spelling mistakes or using a personal email address, such as @gmail.com, @yahoo.com, or @hotmail.com.
- Messages pressuring you to bypass our security procedures. These types of attacks often happen when a cyber attacker is pretending to be your supervisor or coworker.
- Messages requesting highly sensitive information, such as your credit card number or password.
- If you receive a message from someone you know, but the tone or message just does not sound like him or her, be suspicious. Call the sender on a trusted phone number to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.
- Before you click on a link, hover your mouse cursor over it. This will display the true destination of where it will take you. Confirm that the destination displayed matches the destination in the email and make sure it is going to the organization’s legitimate website. Even better, type the proper website address into your browser. For example, if you get an email from your bank asking you to update your bank account, type your bank’s website address into your browser, then log in to the website directly.
- On a mobile device? No problem. Simply hold your finger down on the link and you should see the true destination in a pop-up window.
- Only open attachments you were expecting. Infected email attachments have become a very common attack method. In addition, many of the infected attachments cyber attackers use today cannot be detected or blocked by anti-virus.
In addition to phishing, you can be your own greatest risk. It is easy to accidentally email or message the wrong person. For example, with email features like autocomplete, you may try to email someone in finance, but accidentally end up emailing an old friend. Always check that you are emailing the correct person before sending your email, especially when sending something sensitive. Once you send an email, that email is no longer under your control. It could be forwarded to others whom you never intended to have read it.
Attackers have developed an even more dangerous email attack than phishing called spear phishing. Instead of sending out millions of emails to random people, this attack targets only a few people within our organization. The reason these targeted attacks are more dangerous is because of the extensive research the attackers do. They begin by analyzing who works in our organization, then target specific employees (such as you) and collect information through sites such as LinkedIn or Facebook. Once they have learned everything they need, they create a highly customized phishing email designed to fool you into clicking on an infected attachment or malicious link.
Spear phishing attacks are much harder work for cyber attackers, but are much more effective than generic phishing emails and are also much harder for us to detect.
It is your job to use email safely and be on the lookout for phishing attacks. If you receive a phishing attack, or if you are not sure if an email or message is a phishing attack, report it or contact us at phishreporter@kaust.edu.sa.
KAUST Information Technology
We make IT happen!
