» Phishing

What is Phishing?

"Phishing" is a social engineering technique used to trick users into providing their personal information such as usernames, passwords, credit card details and social security numbers by pretending to be a trustworthy entity.

It often uses forged or look-alike email addresses and compromised websites that mimic the look and feel of the legitimate websites.

Phishing emails can be used to compromise an individual’s personal information or an Institution’s infrastructure and proprietary information.

The term is a homophone of “fishing” due to the similarity of using a bait in an attempt to catch a victim. A list of the recent phishing emails we received can be viewed at www.chapman.edu/security

Toggle Section

Phishing is when cybercriminals pretend to be a trustworthy entity and send messages to further entice their victims to:

Provide usernames or passwords
Open virus infected files on their computer
Open attachments that input malware on the device allowing passwords to be stolen

Quishing is the process of directing an end user to a fraudulent website through a QR code. The design of QR codes makes it difficult for the user to know where the code will direct them after scanning.

Quishing often involves sending an email with a QR code under the guise of a service request, offer, or the threat of being disconnected from a service.

To Protect Yourself from Quishing:

Take note of the tooltip displayed by the phone's camera showing part of the URL- the scammers will use pages redirected from Bing or Google to make it look more real. If the email pretends to be from Chapman, the URL should not redirect to Bing or Google.
Once you scan a QR code, check the URL to ensure it is the intended site and looks authentic.
Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
If you scan a physical QR code, please make sure the code has not been tampered with, such as with a sticker placed on top of the original code.
Avoid making payments through a site navigated from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

Phishing hurts Chapman because it exposes the university to multiple risks including:

Theft of personal information including usernames and passwords
Access sensitive information regarding the university
Data Loss
Infection of system with malware

According to Webroot Threat Report, nearly 1.5 million phishing websites are created each month.

According to Verizon Breach Data Report 2016-2018:

30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
70% of breaches associated with a nation-state or state-affiliated actors involved phishing.
74% of cyber-espionage actions within the public sector involved phishing.
66% of malware is installed via malicious email attachments.
93% of social attacks were phishing related.
70% of cyber attacks use a combination of phishing and hacking.
50% of recipients open e-mails and click on phishing links within the first hour of being sent.
71.4% of targeted attacks involved the use of spear-phishing emails.
43% of all breaches included social tactics.
49% of non-point-of-sale malware was installed via malicious email.
30% of phishing messages were opened in 2016 – up from 23% in the 2015 report.

How to Spot a Phishing Email

Toggle Section

Urges you to click a link
Enter your username and password
Requests to transfer money
Get gift cards
Send personal information
Have poor wording or phrasing that seems off

A Chapman University email will NEVER:

Ask for a password or ask for any other user credentials
Threaten to delete your account to make space
Ask you to prove that you are still an active user
Provide or verify personal information

The quickest way to identify a phishing email is to "Hover Over" the suspicious link.

The first part of the link is the "Microsoft Office 365 URL Inspection" service that protects you from accessing known malicious links.

However, most links have not yet been identified as malicious and can pass undetected through the filtering system.

The from field can be "spoofed" to look like it's coming from a legit sender. An email with a forged email address can appear that is coming from someone who works for the university, but when you hit “Reply” it will show as a different email address.

For example, when clicking "Reply" to this email the recipient address will show up as Office 365<security.70ydaju@chapman.gmail.net-login.com>.

What to do if I:

Toggle Section

Check:

Check www.chapman.edu/security for recent phishing emails to see if the email you received is posted
Even if you do not see it on the website still report it! It might be a new attack.

Contact:

Report all suspicious emails to abuse@chapman.edu

Correct:

Always double check the sender/url before entering any usernames and passwords. If any doubt DO NOT enter your username or password, instead ask abuse@chapman.edu to confirm legitimacy of email.
Go to the source – If the email is urging you to act (send money, gift cards, enter credentials, call) check with the email sender using a different communication method (In-person, chapman email, Instant Message, Desk Phone Number)

If you clicked the link within the phishing email but did not enter any data and you were not prompted to install a program, we recommend removing the temporary internet files and cookies.

How to Remove Temporary Files On:

Go to password.chapman.edu and reset your Chapman password immediately.

Forward the email to abuse@chapman.edu.

Email servicedesk@chapman.edu and ask them to run a security scan on your computer.

Chapman's Online Training and Awareness Program

Chapman's Online Training and Awareness Program consists of video modules and simulated phishing emails. The goal of this program is to help our users better protect both Chapman University’s sensitive information and their own.

Phish-Train approach. Here is an outline of how a Phish-Train cycle works:

First a simulated phishing email is sent to Staff and Faculty. The users who click on the link will be enrolled in an online training and will immediately receive an email notification.

The program follows Information Security Industry best practices and has been created by the offices of Human Resources and Information Security.

A Steering Committee comprised of key members from the following departments: Internal Audit, Financial Services, Human Resources, Information Systems and Technology and Chapman University's Office of the Provost manage and monitor this program.

If you would like to be enrolled in the free, self-paced Online Training and Awareness program, please send an email with the subject “Enroll me in the training and Awareness Program” to infosec@chapman.edu

Online Training and Awareness Program FAQ's

Toggle Section

The Simulated Phishing Email has the same characteristics as a Phishing Email you would spot in the wild. Following our tips in the How to Spot a Phishing Email.

The Online Training and Awareness Program consists of a simulated phishing email followed by a training for the people who fell for the phish.The trainings can take up to 15 – 20 minutes.

If you entered data in a simulated phishing email, starting March 2019, your password will be reset. You can also reset your own password by going to password.chapman.edu.

The Training will give you the necessary knowledge to spot a phishing email and keep your personal information as well as Chapman University’s information and infrastructure safe.

Glad you asked! The information is not saved anywhere. The only things that we can save are the replies to the emails and the actions performed (Delivered, Opened, Data Entered, Replied, Reported).

The goal of the Online Training and Awareness Program is only to provide the knowledge on how to identify a malicious email. If we observe a pattern regarding data entered, we might contact the manager of the department to arrange an Instructor Led Training.

Only you. We will enroll you in a training and reset your password if you entered data in a simulated phishing email.

None.There is a slight inconvenience – resetting your password if you entered data in a simulated phishing email.

Yes, we have received positive feedback from Faculty and Staff alike. Learning what the scammers are after helps everyone be better prepared and teach their loved ones how to guard their online persona.

» Phishing

What is Phishing?

How Do Phishing Emails Work?

Quishing: A new spin on an old scam

How does Phishing Hurt Chapman?

Phishing Statistics

How to Spot a Phishing Email

General characteristics of an email scam

Hover over the link

Look at the "From" field and Reply address

What to do if I:

Received a Phishing Message

Clicked a Link

Entered Data

Opened the Attachment

Chapman's Online Training and Awareness Program

Online Training and Awareness Program FAQ's

How can I tell the difference between a real phishing email and a simulated phishing email?

What is the Online Training and Awareness Program and how long will it take?

How will the training help?

Is the information I entered into the simulated phishing email stored?

How will the Simulated Phishing Emails affect me and the people I work with?

Who will be notified when I click on the link?

What are the negative consequences of the simulation?

Do Phishing Simulations really make a difference?