In conjunction with National Cyber Security Awareness Month, University of Iowa IT security experts are asking the UI community to help fight phishing—phony emails and other communications that aim to steal usernames and passwords, credit card or social security numbers, and other sensitive information.
Jane Drews, chief information security officer, and Jamie Matthews, ITS Help Desk manager, and their teams are allies in the phishing fight. Here they describe how UI students, faculty, and staff can join the cause.
Q: Why the focus on phishing?
Jane Drews: Virtually everyone gets phishing emails, and fighting back requires all of us to recognize, avoid, and report them. They remain the single most common IT security issue we encounter every day.
Q: Is the problem getting worse?
Jamie Matthews: Phishing emails have become more sophisticated, more likely to look like legitimate messages. We still get a lot of phishing emails that are easy to recognize and delete right away, but we also see more and more that use stolen University of Iowa logos and familiar service names or terms lifted from our websites. Many are sent from forged UI email addresses or addresses of real UI accounts that have been stolen. Even experienced email users can fall for clever phishing attacks.
Q: What’s the most important thing I can do to fight phishing?
Jane Drews: Keep sensitive information to yourself. If someone asks for your private information via email or social media, they’re almost always up to no good. So, refusing to provide it is your first line of defense.
Phishing emails typically include links to phony websites used to harvest usernames, passwords, and other information. Don’t click links that go to login pages or forms. If you do click a link and encounter a form, exit immediately and don’t complete it.
Real organizations you do business with—including the university—sometimes will ask you to manage your accounts. Instead of clicking email links, navigate directly to their websites in your web browser using saved bookmarks or by typing in the address, then log in as usual. Get into the habit of avoiding links that could be suspect.
Q: How do you tell a phishing email from a legitimate email?
Jamie Matthews: Classic signs of phishing emails include misspellings, grammar errors, and awkward phrasing, but many phishing emails now look professional and polished. They might address you by name and even appear to come from people you know. Question any message that seems odd or comes from someone you wouldn’t expect.
Phishing messages often try to create a false sense of urgency—for example, they’ll claim that your account will be closed unless you act right away. That’s another telltale sign that a message isn’t legitimate.
Also, phishing emails try to mask suspicious web or email addresses, so learn to check links and assess where they point. For example, if you hover your computer cursor over a linked word or phrase, the real web address behind it will appear. ITS offers instructions for how to check and read links.
Q: What are some other steps I can take to stay safe?
Jane Drews: Whenever you have the option, set up two-factor authentication for your university, bank, social media, or other accounts. Two-factor authentication requires you to confirm login attempts using a device you possess, like a cell phone. It makes it much harder for unauthorized parties to access your accounts using stolen usernames and passwords.
We’ve implemented two-factor authentication for UI web applications like MAUI and Employee Self-Service. Sometimes its required, sometimes optional, but we encourage all faculty, staff, and students to use it. You can find more info at its.uiowa.edu/two-step.
Q: So, what should I do if I receive what I think is a phishing email?
Jamie Matthews: If you suspect that an email is a phishing attempt, it probably is. Avoid clicking links or opening attachments that could put you at risk.
Quick reporting helps us establish whether any UI account have been compromised—which is often the case—and lock those accounts before they can be exploited further.
Q: What should I do if I’ve responded to a phishing message and maybe put myself at risk?
Jamie Matthews: Don’t hesitate to seek help—anyone can be deceived by a phishing attempt, and there’s no shame in reporting it. By acting quickly, you give phishers less time to exploit your stolen information. You also help keep others safe while we solve the problem.
Be sure to change your HawkID password immediately if you entered it into a suspect web page. UI students, faculty, and staff should contact the ITS Help Desk, especially when university accounts or computers are involved. Call 319-384-4357, email email@example.com, or use the Help Desk live chat.
We typically see a few UI email accounts compromised each day, sometimes many more. If ITS notifies you that your account has been compromised, please respond. We’ll provide a ticket number and ask that you call the Help Desk. That way, you can be confident you’re talking to a trusted source.
The National Cyber Security Alliance offers additional information about phishing, including what to do if you’re a victim. Steps can include taking your device offline, changing passwords, backing up files, running antivirus software, and alerting credit agencies.
What to do if you’re phished?
Acting fast can limit the damage.
If you get a suspicious message, send it as an attachment to firstname.lastname@example.org.
If ITS alerts you about an account breach, contact the Help Desk right away and reference the ticket number provided.