Phishing

Phishing is a form of social engineering that uses email or websites to pose as a trustworthy organization in order to access your data. Scammers or hackers will try and pose as an organization you trust in order to trick you into giving them sensitive data like a username, password, social security number or credit card information. The best defense in protecting sensitive information from phishing emails is Duo two-factor authentication.


How to Spot a Phishing Email

When you get an email that just doesn’t seem right, follow the tips below to avoid becoming a victim of a phishing attack.

First, notice the email address.

If you are receiving an email from The University of Alabama, the from email address should be from @ua.edu, not @yahoo or @gmail. Similarly, if you receive an email from a private company, the email address should reflect the company. For example, if you receive a tracking notification email from UPS, the email should be from @ups.com.

Hover before you click.

Phishing emails typically include a link or attachment. The scammers want you to click on the link to provide your sensitive data, or click on the attachment to download a malicious file. Beware! Do not immediately click on the link or attachment. First, hover over a link or attachment to see where it is taking you before you go. OIT has implemented Microsoft Safe Links to better block malicious links and attachments.

Watch for poor spelling and grammar.

This used to be a go-to tip; however, scammers utilize specialized translation tools to better fool users. Remember that official UA emails are always spell-checked, and should be error-free. Additionally, emails from UA will always be sent from an @ua.edu email address.

Beware of urgent or threatening language.

Do not trust emails that say “your account has been suspended” or “verify your information.” Scammers use language like this to get your attention.

If it’s too good to be true…

Students should be aware of false job offers and internships. Official employment communication will be sent through the UA Career Center and Handshake.

Call the message sender.

If you receive a message from a friend or coworker that seems to be out of character, pick up the phone and call that individual. Do not ask, “Is this really you?” over email. The phisher will be happy to reply, “Yes, of course.” When in doubt, call that person to verify that they sent the message.


What do I do if I receive a phishing email?

Microsoft Outlook has built-in tools to help combat phishing. If you receive a message in your inbox that you suspect to be phishing, in the toolbar click the drop down menu beside “Junk” and select “Phishing”. If you receive a message in your Junk folder that you suspect to be phishing, click “Report Phishing” in the toolbar. By doing this, you train your inbox to better recognize junk and phishing emails.


Simulated Phishing

OIT sends simulated phishing emails to UA students, faculty and staff. The simulated phishing emails imitate real phishing emails to better equip UA community members to recognize phishing attacks. These emails are designed to provide a realistic phishing experience in a safe and controlled environment.

If you receive an email that you suspect to be phishing, click the Report Phishing button in Outlook. Whether it is a simulated phishing email or a legitimate phishing email, this should be your first response! The Report Phishing button in Outlook trains your inbox to better recognize and block phishing emails and sends a copy to the OIT Security team for review.

Please know that there is no penalty for falling for one of the simulations. We ask the users who have fallen for the phishing email to review UA’s cybersecurity education material and they will be assigned optional, short, phishing training material.

We’re here to help, give us a call 205-348-5555. We’re happy to answer any and all questions about phishing attempts.

Lost the link to the optional Microsoft phishing training assigned when you click a link or provide credentials during a phishing simulation? They are available here: https://security.microsoft.com/trainingassignments