Phishing 101: What it is and how to avoid it

Phishing is a type of electronically delivered social engineering attack in which a perpetrator, often posing as a legitimate entity, attempts to obtain sensitive information, gift cards, or money from an unsuspecting individual or to infect their device with malware.

The phishing “call to action” is carefully designed to increase the targeted person's sense of urgency to respond, so that the probability of attack success improves. Phishing emails/messages may demand a quick response, or appear to be from someone you know well, and your sense of obligation to help may be leveraged by the attacker to trick you into responding.

Motivation for these types of attacks widely varies.

Still, attackers are often trying to obtain valuable user data such as personally identifiable information or login credentials that can be used to commit fraud or access finances. Additionally, attackers may be trying to steal research, financial data, or health records from an institution.

Phishing can be used for social or political gain, as well as part of a hacktivist campaign, designed to cause disruption or spread disinformation.

Phishing history

Whatever the reason for the attack, phishing is not something new. In fact, phishing is almost as old as the Internet itself. The attacks, however, have grown more sophisticated in recent years. It’s not just about email anymore; multistage, multivector attacks, bypassing traditionally secure multifactor authentication (MFA), have become the norm, and artificial intelligence (AI) chatbots are being used to craft increasingly error-free messages that are more effective in duping recipients into doing what the attacker wants.

Additionally, phishing attacks can come through a variety of channels, including compromised websites, social media, fake ads, and text messages. While email is the most common attack method, others include QR codes, workspace collaboration tools, and photo or audio attachments.

The phishing attack process

The typical phishing attack involves getting a victim to click on a malicious link where their computer will be infected with malware. Or, they could be taken to a clone of a trusted website and prompted to enter their login credentials.

Phishing attacks typically follow this process:

• Stalk potential victims on social media to discover vulnerabilities
• Craft an attack plan based on vulnerabilities from information gathered
• Send fraudulent emails, social media messages, or text messages based on vulnerabilities
• Steal credentials and personal information via fake portals that the victims were directed to
• Access the victims’ financial assets with harvested credentials and then sell, siphon, or ransom stolen data or assets

The consequences of falling prey to a phishing attack can be dire. A recent report found that phishing was the second-most common cause of data breaches as well as the costliest, leading to $4.94 million in average data breach costs for organizations.

How to avoid phishing attacks

While there’s no sure-fire way to avoid phishing attacks, there are some precautions you can take to help protect yourself from these attacks. Here are four ways to protect your personal devices, as provided by the Federal Trade Commission:

• Protect your computer by using security software. Set software to update automatically so it will deal with any new security threats.
• Set your cellphone software to update automatically. These updates could give you critical protection against security threats.
• Use multifactor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. Extra credentials could include:
  • Password, PIN, or the answer to a security question
  • One-time verification passcode you get by text, email, or from an authenticator app, or security key
  • Scan of your fingerprint, retina, or face
• Back up your data to an external hard drive or in the cloud for both your computer and phone.

For work devices, the following will help you avoid Phishing attacks:

• Be Secure: Ensure that your devices comply with UC’s Minimum-Security Requirements for Everyone and All Devices.
• Be Vigilant: Confirm each email/text you receive is from someone you know and that the sender address looks completely correct, that there is no immediate “call to action”, and that there are no links within the email.
• Be Careful: DON’T click on links in ANY email you receive.
• Think Ahead: If the email contains a link you need to access information from, then
  • Use a supplied URL (valid emails will also provide a URL to access information, not just a link)
  • Inspect the URL to see if it is a trusted recognized website (google.com, or cisco.com for example)
  • If the URL is safe, then cut-and-paste the URL into your browser.

Phishing is a prominent issue that anyone can be a victim of. It’s critical for UC Davis Health staff to take the precautions listed above to help protect themselves and the organization from threats.

If you ever believe you’ve become victim to a phishing attack on a UC Davis Health-owned device or a personal device connected to the UC Davis Health Network, power down the device and contact the Technology Operations Center right away at 916-734-4357.