» Phishing

hands typing on laptop

What is Phishing?

"Phishing" is a social engineering technique used to trick users into providing their personal information such as usernames, passwords, credit card details and social security numbers by pretending to be a trustworthy entity.

It often uses forged or look-alike email addresses and compromised websites that mimic the  look and feel of the legitimate websites.

Phishing emails can be used to compromise an individual’s personal information or an Institution’s infrastructure and proprietary information.

The term is a homophone of “fishing” due to the similarity of using a bait in  an attempt to catch a victim. A list of the recent phishing emails we received can be viewed at www.chapman.edu/security

+ - How Do Phishing Emails Work?

Phishing is when cybercriminals pretend to be a trustworthy entity and send messages to further entice their victims to:

  • Provide usernames or passwords
  • Open virus infected files on their computer
  • Open attachments that input malware on the device allowing passwords to be stolen

+ - How does Phishing Hurt Chapman?

Phishing hurts Chapman because it exposes the university to multiple risks including:

  • Theft of personal information including usernames and passwords
  • Access sensitive information regarding the university
  • Data Loss
  • Infection of system with malware

+ - Phishing Statistics

According to Webroot Threat Report, nearly 1.5 million phishing websites are created each month.

According to Verizon Breach Data Report 2016-2018:

  • 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
  • 70% of breaches associated with a nation-state or state-affiliated actors involved phishing.
  • 74% of cyber-espionage actions within the public sector involved phishing.
  • 66% of malware is installed via malicious email attachments.
  • 93% of social attacks were phishing related.
  • 70% of cyber attacks use a combination of phishing and hacking.
  • 50% of recipients open e-mails and click on phishing links within the first hour of being sent.
  • 71.4% of targeted attacks involved the use of spear-phishing emails.
  • 43% of all breaches included social tactics.
  • 49% of non-point-of-sale malware was installed via malicious email.
  • 30% of phishing messages were opened in 2016 – up from 23% in the 2015 report.

How to Spot a Phishing Email

+ - General characteristics of an email scam

  • Urges you to click a link
  • Enter your username and password
  • Requests to transfer money
  • Get giftcards
  • Send personal information
  • Have poor wording or phrasing that seems off

A Chapman University email will NEVER:

  • Ask for a password or ask for any other user credentials 
  • Threaten to delete your account to make space
  • Ask you to prove that you are still an active user
  • Provide or verify personal information

+ - Hover over the link

The quickest way to identify a phisihing email is to "Hover Over" the suspicious link.

The first part of the link is the "Microsoft Office 365 URL Inspection" service that protects you from accessing known malicious links. 

However, most links have not yet been identified as malicious and can pass undectected through the filtering system. 


Example spoof email address with malicious link

+ - Look at the "From" field and Reply address

The from field can be "spoofed" to look like it's coming from a legit sender. An email with a forged email address can appear that is coming from someone who works for the university, but when you hit “Reply” it will show as a different email address.

Screen capture of spoofed from email address

For example, when clicking "Reply" to this email the recipient address will show up as Office 365<security.70ydaju@chapman.gmail.net-login.com>.

What to do if I:

+ - Received a Phishing Message

Check:

  • Check www.chapman.edu/security for recent phishing emails to see if the email you received is posted
  • Even if you do not see it on the website still report it! It might be a new attack. 

Contact:

Correct:
  • Always double check the sender/url before entering any usernames and passwords. If any doubt DO NOT enter your username or password, instead ask abuse@chapman.edu to confirm legitimacy of email. 
  • Go to the source – If the email is urging you to act (send money, gift cards, enter credentials, call) check with the email sender using a different communication method (In-person, chapman email, Instant Message, Desk Phone Number)

+ - Clicked a Link

If you clicked the link within the phishing email but did not enter any data and you were not prompted to install a program, we recommend removing the temporary internet files and cookies. 

How to Remove Temporary Files On:

+ - Entered Data

Go to password.chapman.edu and reset your Chapman password immediately.

Forward the email to abuse@chapman.edu.

+ - Opened the Attachment

Email servicedesk@chapman.edu and ask them to run a security scan on your computer.

Chapman's Online Training and Awareness Program

Chapman's Online Training and Awareness Program consists of video modules and simulated phishing emails. The goal of this program is to help our users better protect both Chapman University’s sensitive information and their own.

Phish-Train approach. Here is an outline of how a Phish-Train cycle works:

First a simulated phishing email is sent to Staff and Faculty. The users who click on the link will be enrolled in an online training and will immediately receive an email notification.

Starting March 1st, 2019, the users who entered data as a result of a simulated phishing email will have their passwords reset. If you entered data in a simulated phishing email, you can contact the ServiceDesk at extension 6600 or visit password.chapman.edu to reset your password.

The program follows Information Security Industry best practices and has been created by the offices of Human Rescources and Information Security. 

A Steering Committee comprised of key members from the following departments: Internal Audit, Financial Services, Human Resources, Information Systems and Technology and Chapman University's Office of the Provost manage and monitor this program.

If you would like to be enrolled in the free, self-paced Online Training and Awareness program, please send an email with the subject “Enroll me in the training and Awareness Program” to infosec@chapman.edu

Online Training and Awareness Program FAQ's

+ - How can I tell the difference between a real phishing email and a simulated phishing email?

The Simulated Phishing Email has the same characteristics as a Phishing Email you would spot in the wild. Following our tips in the How to Spot a Phishing Email.

+ - What is the Online Training and Awareness Program and how long will it take?

The Online Training and Awareness Program consists of a simulated phishing email followed by a training for the people who fell for the phish.The trainings can take up to 15 – 20 minutes.

If you entered data in a simulated phishing email, starting March 2019, your password will be reset. You can also reset your own password by going to password.chapman.edu

+ - How will the training help?

The Training will give you the necessary knowledge to spot a phishing email and keep your personal information as well as Chapman University’s information and infrastructure safe.

+ - Is the information I entered into the simulated phishing email stored?

Glad you asked! The information is not saved anywhere. The only things that we can save are the replies to the emails and the actions performed (Delivered, Opened, Data Entered, Replied, Reported).

+ - How will the Simulated Phishing Emails affect me and the people I work with?

The goal of the Online Training and Awareness Program is only to provide the knowledge on how to identify a malicious email. If we observe a pattern regarding data entered, we might contact the manager of the department to arrange an Instructor Led Training.   

+ - Who will be notified when I click on the link?

Only you. We will enroll you in a training and reset your password if you entered data in a simulated phishing email.

+ - What are the negative consequences of the simulation?

None.There is a slight inconvenience – resetting your password if you entered data in a simulated phishing email.

+ - Do Phishing Simulations really make a difference?

Yes, we have received positive feedback from Faculty and Staff alike. Learning what the scammers are after helps everyone be better prepared and teach their loved ones how to guard their online persona.

Phishing Resources

If unsure about an email you received, send an email with your questions to abuse@chapman.edu.

For any questions regarding Phishing Simulation/Phishing Simulation training please contact infosec@chapman.edu.

View phishing email examples (listed under the "Latest Phishing Emails" section on that page).