Phishing is a method widely used by cyber criminals to reach USNH students, staff, and faculty. These cyber criminals are often attempting to gain access to private information which they then sell, resulting in identity theft and other cybercrime. As a member of the USNH community, you are a target of phishing and other cybercrime. Read on for further information.
What is Phishing?
Phishing is a form of cybercrime that uses email and other communication mechanisms to trick people into divulging personally identifiable information or PII. PII is data that, either on its own or when combined with other data, can be used to identify a specific individual. Social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and username password combinations are all examples of PII.
- 85% of breaches involved a human element. (1)
- Almost half of the confirmed breaches in the education sector involved social engineering tactics. (1)
- Phishing/Pretexting is the most prevalent social engineering tactic used against educational institutions. (1)
- 85+% of phishing attacks are used to steal credentials. (1)
1. Verizon Data Breach Investigation Report 2021
How Does Phishing Work?
Cybercriminals pose as legitimate businesses or organizations and send deceitful messages to trick their victims into:
- Providing their credentials (username and password) or other personally identifiable or private information
- Launching malicious files on their computers
- Opening links to infected websites
- Opening attachments that do things like plant malware onto the user’s device that steals credentials and other PII directly by collecting this data when it is entered by the user
While the majority of phishing messages are delivered via email, they can also come from other sources, including:
- Phone calls/Voicemails
- Fraudulent software (e.g, fake anti-virus)
- Social Media messages (e.g., Facebook, Twitter)
- Text messages
Why USNH is a Target for Phishing
USNH, UNH, KSC, GSC, and PSU store and manage hundreds of thousands of records containing PII, which means we are a target rich environment. The market for stolen PII is enormous and a single piece of stolen PII can sell for anywhere from a couple of dollars to a couple of thousand dollars, depending on the type of information. This makes USNH a lucrative target for phishers.
How Does Phishing Endanger USNH?
Phishing is one of the top cybersecurity threats the University System faces because it is often the primary attack vector used to obtain the information needed to launch other types of attacks. Simply opening an email, replying to an email, voicemail, or text, opening an attachment, or clicking on a link in a phishing message poses a serious security risk to you and the University System as a whole.
Some of the risks involved are:
- Identity Theft:
- Once you provide your personal information in response to a phishing attempt, this information can be used to access your financial accounts, make purchases, or secure loans in your name.
- Additionally, stolen PII can be a reportable breach, which can pose a significant financial risk for USNH.
- Compromising Institutional Information:
- If your account is compromised, cybercriminals may be able to access sensitive institutional information like research data.
- Credentials obtained via phishing attacks can be used to get inside the USNH network making it easier for cybercriminals to launch lateral attacks aimed at gaining access to secure resources.
- Loss of data:
- Some phishing attacks will attempt to deploy crypto malware on your machine, also known as ransomware, which is malicious software that encrypts the files on a computer and denies owners access to their files until they pay a ransom.
- Ransomware attacks can result in the loss of personal data as well as institutional and/or research data that is improperly stored on a single user device.
- Malware infection:
- Some fraudulent emails include links or attachments that, once clicked, download malicious software to your computer.
- Others may install keystroke loggers that record your computer activity including entry or usernames and passwords including those used to access your USNH accounts and any personal accounts (like your bank website) that are accessed via that device.
- Compromising Personal Information:
- If your personal information is accessed, attackers will scan your accounts for personal information about your contacts and will in turn attempt to phish for their sensitive information.
- Phishers may also send emails and social media messages from your accounts in an attempt to gain information from your family, friends, and colleagues.
USNH's Phishing Awareness Program
USNH's Phishing Awareness Program provides USNH community members with a realistic phishing experience in a safe and controlled environment. Periodically, USNH community members are sent simulated phishing emails that imitate real attacks. This type of awareness training provides the University community with the opportunity to become familiar with and more resilient to the kinds of tactics used in real phishing attacks.
There is no penalty for falling for one of the simulations. Those USNH community members who are susceptible to the simulated phishing attack will be notified that it is a simulation immediately and presented with educational material designed to decrease future susceptibility. Any reporting on susceptibility is done in aggregation, only the members of the Information Security Services team that administer the program have access to information on specifics of susceptibility.
As the program matures, community members as a whole should be able to better spot phishing attacks, both at home and in the workplace.
Contact USNH Cybersecurity for more information on this program.
How to Spot a Phishing Message
There are often clues hidden in a phishing message that you can use to determine if a message you have received is a phishing message including:
- The message creates a sense of urgency meant to inspire a quick user response, generally by indicating the user needs to take action immediately in order to:
- Avoid a negative consequence like having email access shut off
- Get a positive benefit like a financial incentive
- See or learn something exciting or forbidden
- Most phishing messages include at least two of the following telltale phishing features:
- Lists a sender that differs from the email address it is sent from
- Claims to be from a legitimate company but come from an email address that is not linked to that company (i.e. claims to be from DHL but comes from a Gmail account)
- Has no branding of any kind (USNH or other company Logo, email signature, etc.)
- Includes references to USNH departments or services that do not exist
- Uses unusual words, syntax, or phrasing; contains simple spelling and grammar mistakes
- Includes direct links to login pages
- Includes an attachment with a generic name
What to Do if You Receive a Phishing Message
- Check The Phishbowl to see if it is a known phishing email
- Legitimate University communications that have been reported as phishing are also posted here for your reference
- If you don’t see it on The Phishbowl, Don’t Assume it is Legitimate! It may be an unknown phish that hasn't been reported yet.
- Use the 'Report Message' drop-down menu in Outlook to Report an email as Phishing to our Cybersecurity Team
- If you are unsure about a message and you cannot confirm it is legitimate, forward it to firstname.lastname@example.org and then delete the message; or
- If you click a phishing link or open an attachment, report it to your respective institution IT Help Desk. Sometimes just clicking the link is enough to compromise your device even if you don’t enter your credentials.
Think Twice...Before Entering Your Credentials
- Always confirm a login page before entering your credentials
- Some Phishing messages provide links to a fake institution branded login page that look just like the real one
- Others provide log in pages with institution branding
- Keep your credentials safe by following these steps:
- Contact your Institution's Help Desk and request assistance in confirming the login page that should be used for a specific service or application
- If it is a login page for another company, go to the company’s website and log in from their official site
- If you aren’t sure, DO NOT enter your credentials!
IT HelpDesk Contact Information
- GSC - 1-888-372-4270
- Keene State - 603-358-2532
- Plymouth State - 603-535-2929
- UNH - 603-862-4242
The Phishbowl provides USNH users with a self-service way to determine if an email they have received is a known phishing attempt.
For questions about Phishing or to arrange in-person training for a department or group on campus, contact USNH Cybersecurity.