Overview
The University of Oregon has noticed a steady increase in unsolicited and undesirable email, text message and telephone calls in general and through our phone system. Many of us are familiar with email spam and telephone spam, but perhaps new to smishing and vishing. The pervasiveness of these undesirable contacts has increased dramatically in the past year, and it continues to increase both in its frequency and severity. Many of these contacts are normally referred as social engineering attacks.
Types of Contacts: What are we seeing?
Phishing
Phishing is a type of online scam that involves tricking people into giving away sensitive information to criminals. Phishing scams can take many forms, including:
- Email: A seemingly legitimate email from a bank, internet service provider, or other organization may ask for personal information.
- Text message: A text message may contain a link to a malicious website.
- Phone call: A phone call may be used to trick someone into giving away information.
- Website: A malicious website may be designed to look like a legitimate website, such as a bank or credit card site.
- Social media: A fake social media post may be created in someone's account.
Phishing scams can lead to a variety of consequences, including:
- Stolen money from bank accounts
- Fraudulent charges on credit cards
- Loss of access to photos, videos, and files
- Cybercriminals impersonating someone
The attacker will try to make you act immediately and give you a false reason why you must act or answer immediately. They often threaten things like legal action or some type of fine. The end goal of this type of attack includes things like stealing identity information, or sensitive business information. For example, if the caller claims to be from your bank. Hang up. You can then login to your bank account online, or call your bank (notice you are calling a known number, and not speaking with the unsolicited caller). You can then ask the bank if they are trying to reach you.
Spear Phishing
Similar to phishing, just that the attacker has taken the time to learn details about the person they are calling.
For example, they find someone with a title of accountant, then call posing as a creditor and complaining about a late payment.
Smishing (SMS Phishing)
Smishing is a type of phishing attack that uses text messages to trick people into giving away personal information or clicking dangerous links. The term "smishing" is a combination of "phishing" and "SMS" (Short Messaging Service).
Scammers often use smishing to:
- Steal personal information like account usernames and passwords, Social Security number, date of birth, credit and debit card numbers, and PINs.
- Spread malware.
- Perpetrate identity theft and fraud.
Vishing (Voice Phishing)
Vishing, or voice phishing, is a type of phone-based cyberattack where criminals use phone calls to trick people into giving up sensitive information. The goal is to steal money or other personal information that can be used for fraud, identity theft, or financial theft.
Here are some ways vishing attacks can work:
- Robocalls: Vishing scams can be perpetrated through robocalls.
- Voice over Internet Protocol (VoIP): Criminals may use VoIP technology to place hundreds of calls at a time.
- Phishing emails: Many vishing attacks start with a phishing email that urges the recipient to dial a number.
- Impersonation: Criminals may impersonate a call center professional or someone from a reputable organization, such as the victim's bank, the IRS, or a package delivery service.
- Spoofing: Criminals may spoof numbers that belong to real companies.
To avoid falling for vishing scams, you should not trust a caller who knows some of your personal information until you can verify their identity.
Telephone Spam
Spam is any unsolicited or undesired electronic communication.
Traditional Spam is just someone trying to sell you something. However, there tends to be a correlation between bad actors and spam. The simple truth is that one cannot know the unsolicited sales request is from a reputable party, or the true identity of the caller. For example if someone calls you claiming to sell toner cartridges for your printer, you cannot know that they are a legitimate toner reseller. For all you know, they will take your credit card information and never send you toner. There is always risk in accepting an unsolicited call.
Caller ID Spoofing
Spoofing is the practice of changing one's caller ID. It's a form of impersonation which is relatively easy for the attacker to do.
For example, someone claiming to be calling from the IRS can easily spoof the real IRS toll-free number as their caller ID.
It has become common for all spam calls to to falsify their caller ID. Since they know folks are more likely to pickup a call from their own area code and region, you usually see a number that's area code 541 here in Eugene, and often including a common prefix like 541-683.
The callers themselves are often off-shore and not in the United States which makes the crime more difficult to track down or enforce. For specific university attacks, the callers tend to spoof a 541-346 number. Historically, these were easier to detect because off-shore calls sounded distant and had static. In modern times, these phone calls sometimes sound as clear as a caller who is literally next door. This type of attack is called a Neighbor Scam.
What can You do?
- If you receive an unsolicited contact in any form (email, text message, telephone, etc), do not assume it is legitimate until you validate the source and purpose.
- Hang up on callers who threaten you, or try to force you to reveal sensitive information. This step is the most important and sometimes overlooked.
- Did you make the call? Did someone call you?
- If someone calls you, it requires a different level of caution and special handling.
- Block unwanted callers from your phone:
- For UO telephones
- You can also block unwanted callers on your mobile devices.
- How to do that will vary from one vendor to another. Contact your mobile service provider for details.
- To avoid phishing scams, you can:
- Not respond to emails or pop-up messages that ask for personal or financial information.
- Hover over the URL of any links in emails to validate accuracy.
- Only use websites with a valid Secure Socket Layer (SSL) certificate, which begin with "https://".
- Change passwords regularly and never use the same password for multiple accounts.
- Make use of multifactor authentication for all your accounts.
- Report phishing attempts to the UO Information Security Office and other industry groups.
- Here are some ways to protect yourself from smishing:
- Be wary of suspicious texts – Don't click links in texts from unknown or suspicious numbers, especially if the link is short or abbreviated.
- Don't respond to unknown numbers – Responding to texts from unknown numbers can let scammers know your number is active, which could lead to spam lists and harassment.
- Keep your phone updated – Keep your phone's operating system up to date to protect against malware in smishing links.
- Be aware of social engineering red flags – Be wary of urgent messages or get-rich-quick fixes. If it seems too good to be true, it probably is.
- To avoid falling for vishing scams, you should not trust a caller who knows some of your personal information until you can verify their identity.
- Don't let yourself be lured away from UO protected environments
- If an unsolicited contact tries to move the conversation to your personal email or mobile phone, this is a good indication that you might be dealing with a malicious actor. Hang up and report the contact to the Information Security Office.
- Depending on circumstances, you can open a case with the Information Security Office or UO Police for any illegal call (i.e. harassment).
What can UO do?
- For unwanted telephone calls to UO phone numbers, UO Police can request we block a caller system-wide. Note that we cannot block some spoofed numbers (i.e. our own numbers). We also cannot block calls that have no caller ID.
- For email messages, the university operates email security protections that remove 99.99% of unwanted messages that traverse through the protections mechanisms. No all email messages go through our protection services.
Additional Observations
-
Why do I keep getting calls and then they hang up on me?
Telemarketers and spammers are well organized, often having a full call center (usually outside the USA). They use a computer to dial a large amount of telephone numbers. This practice is sometimes called robocalling.
Fortunately or not, computers aren't always so smart and cannot detect that a human picked up the phone so they hang up. While this is annoying, had the call actually connected, you might have been met with some nasty threats intended to intimidate you into revealing sensitive information. For this reason, maybe it's best that you simply "missed their call."