In an increasingly digital world, cyberattacks are a significant threat to both individuals and organizations. Risks to information technology are on the rise and malicious actors are increasingly aggressive and more capable of carrying out cyberattacks.The goal of a cyberattack is often data theft, financial fraud or system sabotage. Since fall break, a number of phishing attempts have targeted Ithaca College students. 

Phishing is a type of online attack or scam that attempts to steal sensitive information by masquerading as a trustworthy organization or source. The goal is to steal sensitive information or to install malware on devices. Phishing attacks often take the form of emails, texts, social media messages and even phone calls or voice messages. Scammers want to collect information that can be utilized or sold. This means stealing usernames, passwords and credit card numbers or other financial information. 

Phishing messages affecting Ithaca College email accounts are usually delivered as texts or emails. They often involve forms, passwords or the use of the Duo security app. These messages might ask students to enter a password in a form to verify an account is still active, provide a code from Duo or enter a code sent. Other messages impersonate job or internship offers. All of these techniques have the end goal of the user providing information to the scammer that would allow them to log into an account.

They want to access personal data stored in emails or linked to the account such as identifiers or financial information — Student ID numbers, addresses and tuition payment receipts. Often this data can be used to steal money directly; the U.S. Federal Bureau of Investigations currently estimates that cybercrime inflicted more than $50.5 billion in direct financial losses on U.S. consumers and businesses over the last five years. Data can also be used for identity theft, or can even be sold to other scammers. 

There is a common misconception that since young people are generally more familiar with digital technology, they are less susceptible to phishing attacks. While it is true that older age groups are more susceptible to phishing attempts, that does not mean young adults are safe. Young adults use social media more than any other age group, making them the most available targets. Moreover, frequent social media use has the potential to lead people to make quick or instinctive decisions without evaluating the risks. According to a study reported by the Wall Street Journal, over 89% of young adults fell for a suspicious link in a message at least once. 

Even within a more secure digital environment like a university, it is important to be vigilant and aware of the risks to our cybersecurity because phishing is one of the most effective forms of cybercrime. The U.S. Cybersecurity and Infrastructure Security Agency says that more than 90% of successful cyberattacks began with a phishing attack. And while system firewalls and multi-factor identification tools like Duo filter out most unsafe messages, it is inevitable that some will slip through the cracks. 

Urgent language, unfamiliar senders and unexpected messages are all indicators of a possible phishing attack. Scammers take advantage of FUD, a common acronym used in the security industry to describe the atmosphere of pressure and immediacy the sender wants to create. It stands for fear, uncertainty and doubt, and is an important tool for the phisher because these factors are what drive irrational decision-making. Urgency is the most obvious sign of a phishing attempt. Phishing messages will often employ time pressure and outline consequences if immediate action is not taken. Scammers want potential victims to act before they have time to figure out the message is a scam.

It is good practice to be naturally skeptical of any digital communication that requests sensitive information. Nearly all real organizations will never ask for this kind of information through electronic communications. And if people suspect that they are a victim or have been tricked by a phishing attack, they should change their password and contact the IT Service desk to check for suspicious activity on their account. A message that seems like a phishing attempt can be reported to [email protected].