What is phishing?
Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers.
Phishing attacks are getting more sophisticated and can be very convincing even to the trained eye so it's important to know as much as possible about current threats and how to protect yourself against them. Falling victim to an attack can have severe consequences, not just to the target but to the University as a whole.
There's more than one way to trick the target, but email is the most common phishing tactic.
Types of phishing
There are various types of phishing attacks, including spear phishing, CEO fraud (whaling), vishing and smishing.
- Spear phishing is a targeted cyber-attack on a specific individual or group.
- Whaling is a form of spear phishing, where the cyber criminal targets a high-profile individual in the organisation.
- Vishing or "voice phishing" is where the scammer uses phone calls or voice messages on the target.
- Smishing involves fraudulent text messages pretending to be from reputable companies.
- Quishing usually involves an email posing from a legitimate source, such as a Payroll Department, and containing a QR code for scanning.
Real world examples of phishing messages which we have received in Trinity
Gift Card scam, Phishing email with subject "Available?", received September 2023
QR code scam, Phishing email with from the email address HR-Payroll-Tcd, received October 2023
Scammers will say almost anything to get you to buy gift cards — like Google Play, Apple, or Amazon cards — and hand over the card number and PIN codes. Gift cards are a fast source of cash because they can be used to purchase items or can be sold.
With QR code scams, you will receive an email which contains a fraudulent QR code. The code installs malware on your phone that works covertly to steal your personal information from your phone.
What can happen in the event of a successful attack?
Ransomware is spread
Opening an attachment or link in a phishing email can potentially spread ransomware. The hacker is looking for just one person to click on that link or attachment, which in the worst-case scenario can lead to the hacker getting access to Trinity IT systems and data, locking users out of their accounts, and ultimately the need to shut down all IT systems causing major business disruption to the whole University.
Data breach
The University can become subject to a major data breach if the hacker gets hold of sensitive information.
Hacker gets access to valuable data
The scammer can gain access to valuable data. They will look for any valuable information such as authentication credentials (e.g. your Microsoft 365 login details), personal information (e.g. names, birthdays, email addresses, phone numbers), and financial information (e.g. credit card details). The hacker may then package up the details and sell them on to other cyber criminals on the black market.
Other consequences
- Data loss
- Identity theft
- Losing access to your account
- Your account is being used to phish others
- Financial losses
How can I protect myself against phishing?
It is easy to be alarmed by a phishing email, they are designed to convey a sense of urgency to get us to act without question. They may appear to come from a legitimate business that you have previously dealt with or a colleague. But there are things to look out for to help you recognise a phishing email.
Watch out for these signals
- Is the email coming from an official email address (e.g. school@tcd.com vs school@tcd.ie)?
- Is the email trying to get you to act fast and does it use threatening language?
- Does the email have poor grammar and punctuation?
- Does the email contain a suspicious attachment or link?
Remember to stay cautious, always take your time and consider the validity of the email. Never open attachments or click on links unless you are fully confident the message is from a legitimate party.