Phishing Awareness and the New Year
January 7th, 2025
Dear Colleagues,
As we begin the new year, ITS would like to take this time to remind everyone that phishing and spam emails and texts messages continue to not only evolve but also increase in number. As a result, it is imperative to remain vigilant when handling these forms of communication, both professionally and personally.
State of Phishing, 2024
According to the 2024 State of Phishing Report, the phishing landscape noted an appreciable increase in attacks, a significant impact on the education sector, and a few trends:
- Credential Phishing Surge: Attacks aimed at stealing login credentials rose by 703% in the latter half of the year.
- Overall Email Threat Increase: Email-based phishing threats grew by 202%, the primary vector of which was malicious links.
- Social Engineering: Social engineering attacks, including Business Email Compromise (BEC), increased by 141%.
- Targeting Students and Staff: Attackers often exploited the relative cybersecurity inexperience of students and staff by crafting messages related to academic or financial processes.
- Rising Use of AI: Attackers extensively used AI for crafting convincing messages, often impersonating trusted entities within institutions, like IT departments and administration offices, making them harder to discern.
How to Stay Safe
- Verify Senders: Double-check the sender’s email address and domain.
- Avoid Clicking Links: Hover over links to see where they lead before clicking.
- Do Not Share Personal Information: Legitimate companies should not ask for sensitive information via email.
- Report Suspicious Emails: Report phishing attempts to the impersonated organization or your email provider.
If you’re unsure about an email or text message, it’s better to err on the side of caution and just not respond to or click on anything within the message.
Phishing vs. Spam
It’s worth noting that not all unusual communications are nefarious, so it is beneficial to be able to recognize some key differences.
In general, the following holds true:
|
Aspect |
Phishing |
Spam |
|---|---|---|
|
Intent: |
Steal sensitive information/ money |
Advertise or promote products/services, often irrelevant |
|
Focus: |
Targets individuals or accounts |
Sent to large groups, often random |
|
Risk: |
High (identity theft, fraud) |
Lower, but can still carry risks |
|
Examples: |
Fake bank and invoice alerts, password reset and invoice requests |
Promotional emails, messages including opportunities with exaggerated claims |
Although you should report phishing emails, you can simply delete spam. Better yet, if you are so inclined, you should consider reporting spam to your provider as most email clients and phones now provide that option.
Fallen Victim to Internet Fraud?
If you have fallen victim to internet fraud in California, you should contact one of the following agencies:
- Your local law enforcement agency
- Your local High Crimes Task Force, or
- The Attorney General’s eCrime Unit.
Furthermore, the FBI encourages all victims of Internet fraud to contact The Internet Crime Complaint Center (IC3).
Protect Your Password
ITS would be remiss if it didn’t remind everyone that AP 3720: Computer and Network Use specifically prohibits the sharing of passwords with anyone — including your manager, those who report to you, your colleagues, and even ITS.
Further Information
For an in-depth look at how to avoid phishing scams, please see the following advice from the Federal Trade Commission @ https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Lastly, if you have any questions regarding this or any other previous advisory, please feel free to email the Office of Information Security.