56 F
Davis

Davis, California

Friday, March 1, 2024

Phishing scam hits UC Davis e-mails

UC Davis students and faculty have recently been hit by a web e-mail hoax that reads “Update Your UC Davis Webmail Account.” The e-mail was directed to .ucdavis.edu Google-based e-mail accounts, and required respondents to click on a fraudulent web address link.

Instead of updating your UC Davis webmail account, the link requires users to enter both their UC Davis username and password used to login to their UC Davis webmail account. Subsequently, the account becomes compromised; as a result, the user must reset both their passphrase and challenge questions used to secure the account.

To prevent students from being victimized by phishing incidents like this one, UC Davis IT Security Coordinator Robert Ono refers students to anti-phishing information located, on the UC Davis Information and Education Technology (IET) web page.

UC Davis will never ask you for your passphrase via e-mail, telephone or non-campus website, according to the IET web page.

“I don’t believe it’s so much a problem of internet security as it is with students’ lack of understanding of phishing scandals; students should be aware of such incidents and become better educated on what constitutes an illegitimate e-mail, simply by visiting the IET website,” said first-year biological sciences major Daniel Tran.

Ono adds that approximately 70 to 80 percent of all e-mail are spam and phishing messages. Though most messages are caught and dropped prior to delivery, a few may be delivered to a student e-mail account.

“The few delivered spam or phishing messages appear in your e-mail junk folder, and a fewer yet number may make it through to your mail inbox,”  Ono said.

To avoid phishing scams in general, Ono states that students should be aware of the following when encountering suspicious e-mail messages. Phishing messages generally contain no initial salutation, such as “Dear Student.” Phishing messages often describe some urgent action for the e-mail reader, such as visiting a website or forwarding your login account information to a destination. IT Express, the campus help desk, will never ask you for your login account password to be sent or entered into a webpage. The messages often indicate origination from a campus unit that does not exist.

“Contact the campus help desk, IT Express, to confirm the legitimacy of a message asking for personal information. E-mail recipients may also independently look up a telephone number for the apparent message sender and contact the sender by telephone to confirm legitimacy of the request,”  Ono said, regarding the confirmation of e-mails.

IET attempts to educate students and faculty alike on the importance of internet security, as well as allow users to take advantage of useful links ranging from Multimedia Content Development to Training Services in Classroom Media Training, and the IET web page provides students with readily available “how-to” links regarding internet security, e-mail and computing services and educational technology.

“The campus continues to improve its anti-phishing message filtering. However, the campus needs to carefully manage such filtering to ensure the filters do not prevent the delivery of legitimate messages — a false positive,”  Ono said.
For information about this issue, visit security.ucdavis.edu/antiphishing.cfm.

GHEED SAEED can be reached at campus@theaggie.org.

2 COMMENTS

  1. This phishing attack at UC Davis is one example of the many educational institutions increasingly targeted by phishing criminals for the hotbed of personal information their databases hold. Between the personal records of both current students and alumni, there is a lot of data to keep secure. These larger-scale enterprise security challenges explain the need for multi-pronged approaches to IT security, beyond the physical security itself. One of the biggest threats to educational institutions like UC Davis is not necessarily the security products utilized by the IT Department, but the people working there. Having trained over 3.1 million employees (using PhishMe.com) like those working for UC Davis, we have found that immersing people in the experience through mock phishing exercises, and presenting immediate, bite-sized educational materials to those who are susceptible has the desired effect of reducing human vulnerability to these attacks. With so much sensitive data in one place, educating universities and students about phishing attacks is a step in the right direction for this vulnerable sector that is higher education.
    -Aaron Higbee, CTO and Co-Founder, PhishMe

  2. Phishing scams or any other kinds, I think everybody should check Scam Detector, an app that Apple released recently.They have hundreds and hundreds of scams exposed, in several industries. For those interested, the app has an online presence as well: http://www.scam-detector.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here