Protect yourself against the latest cybersecurity threats
October is National Cybersecurity Awareness Month, a time to strengthen your digital defenses and learn how to protect yourself and your information from the latest cyber threats.
Cyberattacks are becoming increasingly sophisticated, with social engineers continuously refining their tactics to outsmart even the most technologically savvy individuals. The Information Security Office is dedicated to reducing cyber risks at the university and equipping the university community with tools and resources to recognize risks before it's too late.
At the University of Arizona, there are several strategies in place to ensure security of information.
"We require regular information security awareness training, which includes how to best recognize phishing attempts as well as safe online practices that help users stay aware of identity threats," said Tim Schwab, chief information security officer.
The ISO works with other units in the application of security tools to thwart attackers. "By adopting a multilayered security approach, we can significantly reduce the risk of security incidents," he said.
The latest cyberthreats
Phishing: Phishing continues to be the primary way cybercriminals attempt to access valuable personal information. "Phishing is very common, and we can all fall for it, so it's important to pay attention to signs such as poor grammar, unexpected attachments, or urgent requests," Schwab said. Phishing is a multimillion-dollar industry, often led by tech-savvy members of organized crime who gain trust through digital media to steal an individual's information, identity and finances. You can track the latest phishing attempts on the Phishing Alerts webpage.
Artificial intelligence: The emergence of AI is making phishing more sophisticated and harder to detect as these emails contain fewer errors than before.
AI can assist scammers in composing phishing emails with fewer errors, said Teresa Banks, information security and compliance programs manager in University Information Technology Services.
"One red flag that we presented to our community in the past was that phishing emails often contain typos and grammatical errors," she said. "But now, in the age of AI, it is easier for attackers to generate an email with no errors."
"We really want to encourage our campus community to think before you click," Schwab said. "Be cautious and hover over links with your computer mouse to view the actual URL and ensure it is the website you want to visit before clicking."
Credential Harvesting: One type of phishing that has been used successfully are credential-harvesting emails. This tactic involves a false claim that the recipient needs to take an action – which usually means clicking or selecting a link – to ensure they continue to have access to important resources.
The recipient is often led to a form requesting their username and password. Once these are provided, the scammer has access to the credentials. If the credentials are a University NetID and password, the cybercriminal is able to log into a system, such as UAccess Employee, and send a NetID+ "push" notification for two-factor authentication. If the recipient approves, the cybercriminal gains access to personally identifiable information and other information that only the recipient is authorized to view.
Visit EDGE Learning to access a short course on detecting and reporting credential-harvesting emails.
Protect yourself against cyber threats
University Information Technology Services asks faculty, staff and designated campus colleagues to consider taking these steps regularly.
- Verify the email address: If a request is unusual, first check the sender's email address to determine if it is the expected address, especially if there is an "EXTERNAL"banner on the email message.
- Pay attention to odd language and typos: If the email's language and tone are not consistent with what you would usually expect from the sender (e.g., contains unusual or urgent requests, bad grammar or spelling errors), be skeptical.
- Don't approve unsolicited "push notifications" to your phone. If you receive an unexpected push notification request, change your password immediately. Never provide your password or passcodes to anyone, regardless of where or how you received the request.
- Check the ISO Phishing Alerts webpage. Members of the university community report phishing emails daily, so check the ISO website to see if the suspicious email has been reported.
- Report the scam: If you don't see the suspicious email on the Phishing Alerts page, forward the email as an attachment to phish@arizona.edu.
For more tips, visit the ISO Phishing webpage.
To find out more about cybersecurity, visit the Cybersecurity Awareness Month webpage for resources, quizzes, videos, games, Zoom backgrounds and more. The ISO also offers short and entertaining information security videos.