Phishing is the process of attempting to acquire sensitive information from people by masquerading as a trustworthy entity in electronic communications. It is commonly carried out through emails and instant messaging. Users are often asked to enter in information such as usernames, passwords, bank account and/or credit card numbers, and other private data.
Senders of these fraudulent emails often claim viable reasons for needing such information from users. One common scenario is claiming that they will deactivate or disable your user account if you do not send them your login credentials. No matter how trustworthy the requests may sound, reputable websites that require user logins should NEVER request such information from you, especially through email. Disclaimers can often be found on such websites confirming this.
Emails from UCLA
BOL and the UCLA School of Medicine both run email systems providing accounts for students and staff. Neither of them will send out email requesting login information from you. If you receive messages with such claims, the safest thing would be to delete them.
Emails with Website Links
Sometimes, such emails may come with links. The links often lead users to fake websites (modeled after real ones) that trick people into entering their information. If you receive such emails, do not click on the links. As a good practice, whenever you arrive at a web page asking you for login information, you should check the URL of the page and make sure it is legitimate first before typing in anything. The news alerts at Bruin OnLine have a good example of a fake website here.
Emails with File Attachments
Some emails might come with attachments. If you are unsure of the sender or the contents of the attachment, do not open, save, or run them. It is possible for people to include malicious content in such file attachments that can infect and take over your machine. As a good practice, you should not open email attachments unless you are sure that it is from a legitimate sender and was not sent with ill intent.
How can you tell what is fake?
Despite attackers trying their best to fool users into thinking that they are legitimate, there are almost always imperfections. If you receive some suspicious messages, there are several things that you can look for.
- Phishing email messages often have grammar and/or spelling mistakes. Incorrect capitalization or lack of punctuation might also be signs of phishing.
- The sender's email address might be something that looks similar to a legitimate sender's but, upon closer inspection, is actually quite different. For example, you might receive an email from firstname.lastname@example.org, which seems like it might have something to do with UCLA's email system but in fact is unrelated.
- Similarly, web links might have URLs that are similar to the real ones. One common tactic is to type out the name of a legitimate link but actually have it direct you to a wholly unrelated website. For example, I can tell you that I'm sending you to http://www.google.com, when in fact, I just sent you to Yahoo. To avoid this, you can often hover your cursor over a link to view its true destination address. If this doesn't work, you can also try right-clicking on it to copy the URL and pasting it in Notepad to look at it.
Biomathematics User Accounts
Those who work in or are affiliated with our department, Biomathematics, may have Gonda or Calypso user accounts. The IT office will never ask you to give us your password, especially not with threats of account deactivation. If you receive something like this, do not reply with your information without first checking with us.
Non-UCLA Email Accounts
Of course, phishing attacks are not merely limited to UCLA-affiliated email accounts. Any and all email accounts are vulnerable to these types of attacks. We encourage users to exercise utmost discretion in dealing with all of their email accounts.
More information regarding phishing attacks, including those targeted at UCLA students and staff, can be found in the following links:
Phish/Spam of the Day - daily examples of spam and phishing emails received by UCLA employees as provided by the campus IT Services group
Letter from the Office of Information Technology - a PDF letter from the Associate Vice Chancellor of the OIT
Alerts from Bruin OnLine - you can scroll through all the past news alerts from BOL regarding fake emails/messages
Article on UCLA website - more information about UCLA targeted emails
Wikipedia article on Phishing - learn more about general phishing attacks