Phishing

Phishing is a constant problem although the number of phishing emails tends to ebb and flow over time. Given the large numbers of phishing attempts, we do not email out reminders after each phishing message (otherwise we would be sending out weekly if not daily reminders). However, from time to time we will remind people or post a news items about it such as this previous item as well as this more recent one.

In particular please note

  • no one should ever ask you to disclose your password
  • we do not require you to reset your maths account password periodically although it is good practice to change it from time to time when it suits you
  • the central university does require you to change your SSO password annually and the emails they send out about this do have a number of phishing email characteristics :(
  • the central university does require you to change your separate remote access password (used for eduroam etc) every few years and the emails they send out about this do have a number of phishing email characteristics :(
  • we do not ask you to verify your Maths email account periodically
  • it is generally highly suspicious to be asked to login to a system to confirm your details or upgrade your access and it would be highly unusual for us to do so without clear additional message content that would direct you via a route you could independently confirm as official (i.e. we would not just offer a link)
  • if a phishing attempt is not specifically aimed at departmental or university services then there is typically nothing the university can do and it does not ask for such phishing attempts to be reported
  • if a phishing attempt is aimed at departmental or university services please do report it by forwarding the email, including the full headers, to phishing@it.ox.ac.uk
  • if unsure you are always welcome to ask (by emailing it-support@maths.ox.ac.uk) and we would much rather confirm message are/are not phishing attempts than deal with security breaches as a result of a phish
  • you are responsible for your account and keeping your password secure. A failure to do so could result in compromises to other systems you use such as online banking or could result in illegal activity done using your account for which you may be held responsible

Overall though exercising good common sense and sceptism will generally keep you safe :)

If however you do think you may have fallen for a phishing attempt or there seems to be strange/unexplained activity on your maths IT account then please report it immediately so we can investigate and reassure you or clear any problem that might otherwise become much more serious.

There is also some good information on phishing on the central university pages and on this infosec phishing advice page.

Email PPE

When working with email please remember to put on your email personal protective equipment:

  • healthy scepticism - particular for any web links (which can be easily faked so they look like one thing but go somewhere else), and also that it is trivial to fake any sender address desired rather like writing a false return address on a physical envelope
  • attention to detail - particular for typos, poor Inglish (see what we did there, twice!), unknown apparent sender addresses, odd signatures, all of which may be clues something is amiss with the email received that should make you more cautious
  • attention to visuals - if you follow a link and where you end up looks like a known web page, still take extra care to check the browser address bar and see if the URL is actually as expected, e.g. https://www.maths.ox.ac.uk rather than https://dodgy.place.com/www.maths.ox.ac.uk/ivegotyounow.html
  • patiences - take extra time as a few more seconds now may save you and others a lot of time later
  • support - if in any way unsure then ask for help/guidance as whilst you may have to wait a little for a reply, the time cost and inconvenience of not being caught out is much less than the time you may be without access, and others may be diverted into investigate and resolving this rather than getting on with other useful tasks
  • training - if you are university staff then you are required to complete the information security awareness training at least annually; if you are caught out by phishing, one of the first questions the university will typically want answering is if your training record is up to date. If you are a student or retired staff then it is not yet compulsory but is arguably well worth doing. Training is not a vaccine that will make you immune to phishing, and its effects tend to wear off over time, nevertheless it is an important component in the toolkit for reducing the risks from phishing. The training is available at https://www.infosec.ox.ac.uk/module
  • remember - phishing is discussed at induction, and reminder emails and bulletin articles are produced to remind people of key points. A key point made is that the department has a policy not to require periodic password changes, and nor does it require you to login to retain access to services or gain extra file/email space - as such any such email that purports that you need to follow a link to login and take action for your maths IT account is generally something to be very sceptical of!
  • cunning - if in doubt a handy trick can be to enter in incorrect details at a login prompt. A phishing site will not know your real details and in many cases will thus tell you you have successfully logged in (when they are really just caching the details you give to then use and abuse) - in which case you know something is wrong and should back away and seek guidance if needed
  • mitigation - if you think you have just fallen for a phishing attack then act quickly to mitigate the issue by immediately changing your account password, e.g. via the department website at https://www.maths.ox.ac.uk/change_password . This stops the attacker making further connections but they may already have a connection and be causing mischief, so
  • reporting - make sure you report issues, or suspected issues, as quickly as possible so they can be investigated, addressed and further guidance be provided as necessary. In particular if you have already changed your password make that clear at the point you report the issue, although it may still be necessary to lock you out of the account to stop an active phisher
  • rescue - if you fall foul of phishing your account will likely be locked. Once locked your usual email is no longer available. In order to be able to reach out and contact you the department/university will first look to use your defined alternate email address. You can set this at https://register.it.ox.ac.uk/self/alternative_email . Note you will only be supplied with new details on proof of ID (typically you need to show us your university card in person or via a secure video call), and when we have confirmation your information security training is up to date (if it is not you will have to do the module immediately)

Track, Trace and Isolate; and Herd Immunity

The university has seen a very worrying trend since mid-2019, in that the number of people falling foul of phishing attacks has increased by multiple orders of magnitude. This is creating inconvience for those caught out and costing the department and university substantial staff time in tracking, tracing, isolation and resolving such issues. Now more than ever, when there is reduced IT staff capacity, yet increased demands on that time, this is something we need to tackle together and reverse the trend, so that once again we have a good level of herd immunity to phishing that protects us individually and also largely as a group! We will never totally eliminate compromised accounts due to phishing, but by keeping the compromise and transmission rate low we can largely mitigate the issues that arise, and thus avoid a lockdown, and thus continue to go about our business as normal.

Risks and Consequences

The primary goal of the phishers we see appears to be to misuse compromised university accounts to send out further phishing emails to others, and in some cases it is those others (rather than us) that suffer more as the second phase phishes may result in compromised financial details and thus money lost.

This though could easily change. With a compromised account the phisher could just as easily look to wipe files and email, apply ransomware to files, use the account as a stepping stone to compromise other accounts you have for banking or online purchasing, or use your account to try to probe our system from the inside for weaknesses to further escalate the mischief and damage they may then be able to do. They could also use the account to compromise university confidential information, which could require lengthy and costly investigation, reporting to the information commissioners office, and a hefty fine for the university. This is something we all would wish to avoid!

Conclusion

Overall thus treat your university credentials with the respect and value they need and deserve, placing them alongside the value you hopefully put on your banking details, keys to your house, etc.