Phishing
Phishing is a bogus or malicious email sent to steal personal information such as usernames, passwords and other sensitive data.
Sidebar
Phishing? Smishing? Learn to Recognize Scams!
Phishing is a bogus or malicious email sent to steal personal information such as usernames, passwords and other sensitive data. By impersonating an email from a trustworthy entity, the scammer pretends credibility or urgency to trick you into (unintentionally) giving up the personal information or providing your access to a system at UofL.
There are many different types of online and digital messaging scams – email phishing, text or SMS smishing, spear phishing, social engineering, whaling, malvertisements, vishing, fake Duo prompts, QR code attacks and more. We try to filter out most known email phishing attempts but can't catch all of the lures sent to your @louisville.edu email address. It is very important to learn how to report scams and how not to get hooked or bite onto the wrong clickable link.
Select the Email > Report > Report Phishing
This option is for when you believe it is a phishing attempt. This will send it to us for investigation and manual remediation.
If you see an email subject such as: "Issue with Payment" and the email is asking you to send money, call them, or submit your card information, it may be phishing.
Reporting junk, or spam as phishing sends these for manual review and overwhelms our system. Instead, we ask that you empty your junk folder often.
Select the Email > Report > Report Junk
This option is for marking an email and its sender as "junk." Emails are sent to junk so that they do not clutter up one's inbox and senders marked as junk do not give notifications when the email arrives. If you see an email with a subject similar to: "Check out these cool t-shirts!" This is most likely junk.
When it comes to spotting phishing emails, we believe practice makes perfect. Our phishing simulation campaign emails are designed to give our UofL community experience in identifying and reporting phishing messages. Phishing simulations are vital to enhancing cybersecurity awareness and strengthening our overall cyber defenses. We do this so when real phishes show up in your inbox, you already know exactly what to do.
While our cybersecurity tools block millions of these phishing messages each month, there will always be some that make it through and into your inbox. You are our best defense against these messages. Our simulation campaign creates a safe, educational environment for an email recipient to practice phishing email identification with no penalty if a link is clicked. If you accidentally click on our phishing email, you’ll see a page that reassures you it’s just practice and highlights the warning signs to watch out for next time.
In this type of email phish, the scammer pretends to be a credible source to trick the recipient into giving up personal information or providing your access to a system at UofL. The attacker will register a fake domain (sender’s email or web address) or format the email’s headers to look like the inquiry comes from a trusted source. There could be logos or trademarks that mimic a real organization. Often embedded buttons or QR codes hide the scammer’s harmful links or malware.
Look for fear-based actions, such as urgent payments or technology concerns, where you must click on a link or open an attachment. The email will imply bad consequences if you do not act. Ask yourself, would this supervisor (department head), establishment (bank) or institution (IRS) really contact me in this manner or ask me for this action?
Spear phishing are targeted emails to specific individuals. By gathering easily accessed, online information about you, such as name, job position, role at UofL or area of study, the attacker will use the data to their advantage in the email. The scammer will pretend to be someone who knows you or an entity with an unexpected need.
The goal of spear phishing is to steal sensitive information such as login credentials or infect your target device with malware. Hackers often send specialized targeted emails using a compromised email address or contact list to infiltrate their recipient’s system. Often the malicious content uses the scammer’s knowledge of your position to take an action that, ultimately, harms the institution or provides access to the university’s secure data.
Online social engineering targets you in the same manner that a con artist swindles a mark for money. Through the psychology of persuasion, the scammer gains your trust while you lower your guard and reveal personal info, divulge sensitive data or click on an attachment. A cybercriminal communicates with the victim (email, text) saying that they are from a trusted source – like your bank, UofL’s administration, etc. – and need you to take immediate or further action. Sometimes the email looks realistic with logos or appropriate signatures.
- Verify the sender! If it looks suspicious or you are not comfortable, don’t click or respond. Check on the authenticity of the message.
- Be wary of tempting offers or out-of-context urgent requests. Ask yourself if the sender would really contact you in this manner. Check the source.
- Communication via text or messaging apps to your smart phone or tablet that prompt you to open a link to a webpage or another app often hide malware that will infect your device.
- The smish might include a link to track a package or confirm a delivery, even though you did not order anything recently.
- Sometimes fraudulent calls are made by actual people; other times they are done via robocalls. The scammers may even spoof phone numbers of real companies or individuals to deceive you.
- The scammer informs that you won a contest or have unusual activity on your bank or credit card. They will then ask for personal information or to access your account to check or receive a deposit.
Did you get a UL2FCTR/Duo authentication request that you did not initiate? UofL’s Duo or second factor service will never email, call or text you asking for a passcode or PIN. We don’t send SMS or text notifications without you first signing into a system.
- If you’ve gotten a Duo request that you didn’t initiate, deny the request. You should only get a prompt when you are trying to access a UofL resource that has UL2FCTR required.
- If you’ve gotten an SMS or text with a passcode that you didn’t request, auto-report it to your mobile device provider (ATT, Verizon, etc.) and delete it.
- If you get a fraudulent phone call, don’t press any keys or verify your identity, hang up. Block the number on your device.
- Always check the location of the push request (does it match your location?) and remember, avoid sharing Duo passcodes with anyone!
REPORT UL2FCTR fraudulent activity to ITS.
Did you get a UL2FCTR/Duo verification prompt request that you did not initiate? UofL’s Duo or second factor service will never email, call or text you asking you to verify a separate prompt. We don’t push authentication notifications without you first signing into a system.
- Attackers will send or initiate a prompt to your Duo account with the intention of the legitimate user accepting it without paying attention to the listed location.
- Always check the location of the push request (does it match your location). If you’ve gotten a push request that you didn’t initiate, deny the request. You should only get a prompt when you are trying to access a UofL resource that has UL2FCTR required.
- If you get an unauthorized Duo prompt, it is possible that the scammer has tried to access a system with your personal email, userID and/or password. We HIGHLY suggest updating your UofL password via our Identity Management System immediately.
REPORT UL2FCTR fraudulent activity to ITS.
Scammers often use more than one method of attack – a phishing email with a nefarious link to a fake webpage that displays a dubious UofL sign in which initiates a Duo-looking message to accept a prompt. Yes, cybercriminals are devious and getting better every day.
With AI tools, simple browser extensions, webpages are easy to copy or recreate – so detecting the fraudulent ones is difficult. Scammers can steal a user’s UofL credentials and Duo login codes by redirecting recipients to a fake UofL login page. The phishing email and webpage steal UofL branding and use forged UofL email addresses to appear more realistic. This is also frequently done with Microsoft Outlook imagery, PayPal or other popular banking visual identifiers – the phishing attack states an urgent need to fix your account.
Nag, nag, nag to get you to say yes. Scammers will send requests over-and-over to annoy you into accepting one to make it stop.
- For emails, use the Report feature within Outlook.
- For text messages, the only answer is to report the number to your provider and block the sender each time. It is critical that you do not click to accept on any suspicious links or requests.
- For UL2FCTR / Duo prompts that you did not initiate, do not accept the prompt. Report Duo fraudulent activity to ITS.
Two-factor fatigue and email/text bombing are tactics where attackers flood a user with repeated requests to exploit the user's decreasing alertness due to exhaustion. Take time to think about what you are being asked to do and why before you act. Think twice before clicking within text messages or providing sensitive information on unsolicited inquiries.
QR (Quick Response) code phishing, or quishing, is both social engineering and a multiple phishing attack in one that scams an individual into scanning a fake QR code in order to either redirect you to a bogus website or install malware on your device.
QR codes show up in emails but are often found publicly as printed for the ease of use in a situation. Be on the lookout for any of the following:
- Any unsolicited QR codes. Phishing emails and social media often feature these codes for scanning. Make sure that the code comes from a trusted source.
- The QR scan/redirect takes you to a spoofed site where the URL differs from the original or provided website address.
- Requests to enter sensitive information like login credentials or personal data. The site will steal information that you enter.
- Check Sender: Is the sender’s email and name a valid entity?
- Check Link: Hover over any embedded link. Is the URL really legit?
- Check Attachments: Never open any attachments until you confirm sender.
- Check Message: Does it have any of the following?
Urgency: The scammer needs you to do something right away! These scams are brief and to the point… Send me your phone number.
Bad Grammar: Pleese advise to reply me with your private phone number and occupation. Kindly engage me about your needed financal aid status.
If you believe you have been phished or you inadvertently exposed your UofL ID and or password, please reset your password.
Verify, Verify, Verify
If you are not sure of a link, URL, attachment or sender, please DO NOT CLICK IT OR REPLY! Report it to ITS for verification. If you believe you have been phished or you inadvertently exposed your UofL ID and or password, please reset your password.