Editor’s note: This is the third in a series of articles from University of Delaware Information Technologies promoting cyber awareness during National Cyber Security Awareness Month.

Around this time last year, the media was publishing stories daily about the hacks that compromised email accounts of John Podesta, Colin Powell, and the Democratic National Committee. Although these incidents parallel one another in many ways, the most fundamental is this: in each case, hackers gained access to email content and accounts through successful phishing attacks.

“Phishing” is the practice of sending fake or illegitimate emails to trick potential victims into surrendering their account credentials, personal information, or control of their devices. It’s a favorite tool of hackers around the world because it’s low-tech, easy to use, and successful. Phishing relies on “social engineering,” which manipulates victims by taking advantage of the human feelings and emotions we all share: the need to comply with authority, the desire to fit in or belong, the fear of missing out, the compulsion to help people in need and the worry of judgment or punishment. Whether the message is a tax scam threatening legal action or a plea for help from an alleged friend or family member, the goal of a phishing email is to trigger a natural, human response in the victim, enabling the hacker to bypass security measures by taking advantage of people.

The constant rise in both number and danger of phishing attacks continues to make headlines across the world. Phishing is among the most common, most adaptable and most dangerous threats to our personal data and to the University. More breaches are caused by phishing than any other type of cyberattack. Yet, despite its prevalence and coverage, phishing is still widely misunderstood.

Anatomy of a phish

In the early days of cybercrime, phishing emails were often poorly-written and relatively easy to spot. In recent years, however, hackers have listened to “customer” feedback and adapted their tactics: many enterprising phishers now proofread their emails, target specific individuals within organizations, and establish support networks including infected attachments and fake websites to help reel in a catch. Some phishing emails even appear to come from legitimate senders and may include the real logos or branding of the entity being impersonated. The exact form of each phishing email varies, but most follow a well-established formula:

• They claim to come from a legitimate organization or individual, such as your bank or your IT department.

• They demand that you take some action, whether that’s providing your password, logging in to your account, or opening an attachment.

• They threaten you with consequences, such as deletion of your account or even legal action.

• They contain a malicious link or attachment, which can be used to steal your information or grant the hacker remote control of your device.

A recent Webroot study reveals that hackers create around 1.5 million new phishing sites every month. The report also highlights that hackers impersonate well-known companies—often ones from which we expect contact—in their phishing attacks: Google, Chase, Dropbox, PayPal and Facebook top the list.

More advanced, targeted phishing attacks (known as “spear phishing”) may even use stolen logos and the names of real people or departments to create convincing scams designed to trick an organization’s employees or clients.

“Take a BITE out of phish!”

So, how do we protect ourselves against the dangers of phishing?

Earlier this year, the University rolled out the Secure UD “Take a BITE out of phish!” campaign to answer that exact question. “Take a BITE out of phish!” is an enhancement to Secure UD Training that gives UD community members the opportunity to hone their cyber defense skills on harmless, simulated phishing attacks. With the number and danger of real phishing attacks rising by the hour, the University offers these exercises monthly to keep the community aware of and practiced on the skills they need to protect themselves, their families, and the University from being exploited.

To defend against phishing attacks, remember BITE:

• Be aware of the threat

• Identify the warning signs

• Tell us about suspicious messages

• Erase phish from your inbox

These four simple steps can save you from accidentally exposing your personal information, revealing account credentials, or allowing a hacker to take control of your computer or smartphone.

If you suspect you’ve received a phishing email, or even if you’re just not sure whether an email is legitimate, forward it to reportaphish@udel.edu.

October is National Cyber Security Awareness Month. To thank those who demonstrate their commitment to our community’s security, UD IT will be giving away NCSAM prizes. Employees can earn up to two chances to win by forwarding this month’s “Take a BITE out of phish!” test email to reportaphish@udel.edu and completing Phase II of 2017 Secure UD Training during October. You can also follow the Secure UD Threat Alerts blog for the latest news about phishing scams and other threats affecting the UD community.