UoM students targeted in phishing attack

Last week, many UoM students were emailed a suspicious link asking them to log in with their details. This phishing attack fooled many students, and left many others asking: what are these attacks? How do you spot them?What should you do if you’ve been taken in?

What is phishing?

The National Cyber Security Centre defines phishing as “when criminals attempt to trick people into doing ‘the wrong thing’, such as clicking a link to a dodgy website”.

The attack can be sent via email, text or social media. In the case of last week’s attack, students received an email asking them to log into their university account using a link embedded in the email.

Most of these attacks aim to collect sensitive information about the target. In last week’s attack, it was student login details, but some may want to collect financial information, or send a virus as an email attachment.

Phishing attacks are one of the most common types of cyber attacks. In 2020, a survey by the Department of Digital Culture, Media & Sport showed that phishing accounts for more than 80% of cybersecurity attacks.

How can you protect yourself?

There are various ways to effectively identify attacks. You should:

Read the link

If the link doesn’t start with HTTPS, it is probably an unsafe website. Some modern browsers will warn you when you try to enter these sites. However, this doesn’t mean every HTTPS website is safe to click on. The attacker who targeted the university used an HTTPS link.

Check the website’s appearance

This is one of the most obvious ways to detect if a website is fake. If it doesn’t look like the original website, it is probably a phishing site. Be aware that this doesn’t mean if the website looks the same, then it is fine to share your details. More sophisticated attackers will try to make their website look as legitimate as possible.

Question what they’ve asked you to do

Companies don’t usually ask you to log in for security breaches, or ask for personal details via email. However, this is one of the most commonly fallen-for scams.

Attackers usually disguise themselves as your personal bank, and ask you to change your password or verify a transaction. Before you click on these links, be familiar with how the institution you are dealing with operates.

If you have concerns, it’s a very good idea to look up the institution’s guide, or call their helpline before clicking on such links

Keep personal information private

Be aware of the personal details you display in your social media accounts. It is very easy for attackers to target you using available public information.

What should do if you’re attacked?

If you were one of the students who logged into the suspicious link last week, here is what you need to do:

1. Make sure that you change your university password following this guide. If you have the same password or a similar one somewhere else, you should change that as well.
2. Contact the IT department immediately on +44 (0) 161 306 5544 and report the incident to [email protected] following these instructions.

If you’ve fallen victim to another scam, running your antivirus software and reporting any financial theft to Action fraud is incredibly helpful.

Society has suffered a huge increase in cyber attacks in recent years, but that does not have to lead to an increase in victims. Awareness and education are the key to keeping us safe online.