Phishing (pronounced 'fishing') is an email scam designed to acquire sensitive information from people. The most successful phishing emails are designed to look like the email comes from a reputable source such as a known person or entity. UC ANR faculty and staff are often the target of attempts to gain login credentials or personal information through phishing scams that may claim to be coming from UC ANR. These are fraudulent attempts and should not be replied to or acted upon.
In early July, a number of UC campuses and affiliated institutions were targeted by a coordinated, wide-ranging “spear phishing” campaign. The scammers, masquerading as unit leads and executives, tried to get people to reveal sensitive information. We would like to take a moment to describe this attack, and offer tips for spotting similar attacks, and how to report them. If you believe that you have received a phishing or spear phishing email, please forward it to help@ucanr.edu. Messages sent to the UC ANR IT email account will help improve our detection mechanisms for future phishing attempts.
Warning Signs
One telltale sign of spear phishing is an unusual request. For example, is a colleague asking you to transfer money or other goods seemingly out of the blue? Are they insisting on a specific deadline, or otherwise creating an artificial sense of urgency? If so, you might be a target of spear phishing.
If the message or request does seem suspicious, do a little digging to ensure it is actually coming from your colleague. For example, in the recent attack, the fraudulent messages came from Gmail accounts designed to look like @ucsd.edu accounts:
From: Bob Smith
(bob.smith.ucsd.edu@gmail.com)
To: a colleague of the real Bob Smith
In a few cases, the spammers changed the “from” address to other variations of a bogus email address, such as:
From: Bob Smith
(bob.smith.ucsd.edu07@gmail.com)
To: a colleague of the real Bob Smith
In this case, the recipients were all professional colleagues of the individuals whose names were used as the bogus sender of the messages. This suggests the individuals or organization sending the notes had researched their targets and crafted the messages specifically for them. This is the essence of spear phishing. The tactic is often a tool of state-sponsored hackers who are trying to garner a toe-hold into organizations with proprietary assets, including the world-class research and health care assets at University of California.
How to notify
Phishing attacks – and spear phishing attacks like the one that occurred earlier this month – are likely to become more and more sophisticated as time goes by. CSIT has tools to identify and remove fake emails that get delivered to @ucanr.edu accounts. But you can help too:
The UCOP maintains extensive information on phishing on their website: https://security.ucop.edu/resources/security-awareness/phishing-2019-campaign.html
Specific questions about our handling of spam and phishing that are not addressed above can be sent to the UC ANR Help at help@ucanr.edu.