Week 1: Email Security

Phishing attacks are not only frequent, they are the primary reason people lose control of their credentials and data.

Phishing is a social engineering attack made via email. The bad actor sends a (sometimes) official-looking and urgent-sounding email stating that there is an “urgent message” waiting for you or that there is “something wrong with your account,” and asks you to click a link to access more information. Many times, the link simply says “click here” and doesn’t even tell you what website you’re being taken to.

Attackers often familiarize themselves with our systems and messaging in an attempt to trick you into believing that you are receiving a legitimate UIC email or visiting a valid website. Due to the way websites work, it’s also extremely easy for them to copy the code for our websites to their own servers. Because of this, the “click here” link in phishing emails often takes you to a website that is made to look like our login screen.

Because it’s so easy for bad actors to impersonate any website, it’s important that you scrutinize your email and remember the golden rules:

  1. Never click links or open attachments from unrecognized senders.
  2. Even if you recognize the sender, it’s still not a good idea to click links in email. It’s best to use your own bookmark or to type the webpage address yourself.
  3. If you do click a link to visit a website, check the URL in the browser to verify that you are really visiting a university website, like uic.edu or uillinois.edu, for example.
  4. Verify that any web page asking for your credentials is encrypted (the padlock is green and the URL begins with “https”).
  5. When in doubt, throw it out. If you’re not sure, don’t click!
  6. You can always send a copy of the email in question to security@uic.edu for verification if you’re not sure.

Sometimes, people don’t realize the link wasn’t real until after they click on it and supply their credentials. If you do suspect that you’ve been successfully “phished” (yes, that’s pronounced as “fished”), immediately change your password by visiting password.uic.edu and then send an email to security@uic.edu to report the incident.