Spear phishing: Don’t take the bait

October is National Cybersecurity Awareness Month, and throughout the month Rice’s Office of Information Technology is sharing tips and information about how to stay safe and be a conscientious Internet user.

CybersecurityIt seemed like an ordinary request: A Rice employee got an email from a colleague asking for university bank account numbers. Fortunately, rather than simply hit reply, the employee picked up the phone — and that’s when the jig was up.

The email was a convincing spear-phishing attack targeted at stealing financial information.

“What made the email look so convincing was that it appeared to come from someone the victim knew and someone from whom the request would seem normal,” said Marc Scarborough, chief information security officer for Rice’s Office of Information Technology. “The attacker in this case actually took the time to learn Rice’s reporting structure and crafted a targeted email message to a single person.”

The “From” address on an email is easily forged. It’s essentially the same as a return address on a postal envelope. People generally write an accurate return address, but anything can be written there. That’s true for emails as well. And it’s even harder to detect a forged “From” address on a mobile device since less information is shown on smaller screens.

“We should be aware that not all emails we receive are from whom they say they are,” Scarborough said. “If an email requesting information appears unusual, even if it appears to be coming from someone you know, take the time to investigate. Call the person who supposedly sent the message. Find out if they really did request the information before you  send it, whether it’s banking information or any other type of private information — account information, student information or general information about your department’s operations.

“Not all phishing emails are the same. Some are more than the poorly worded emails asking for our passwords that we’re used to. Attackers are getting much better at learning about us to make their attacks more successful.”

If you’re at all suspicious about an email, it’s probably a scam. No one at Rice will ever ask you to verify your NetID account or ask for your password, ID number, credit card information or other personal details by email.

If you fall for a phishing message, immediately contact the Help Desk, helpdesk@rice.edu or 713-348-HELP (4357), to reset your password.


About Jennifer Evans

Jennifer Evans is a senior editor in the Rice's Office of Public Affairs.