If it is not really your boss, you are in deep trouble

Imagine you have a boss who can get just a little blunt and direct when she is busy and under pressure. She doesn’t like a lot of email back and forth when she is rushed. One day she sends you an email asking you to quickly take care of an urgent bank transfer. No time now to explain. She’ll do that later.

You know she appreciates and expects a timely response, so you drop everything and take care of it immediately. When you bring it up with her later, expecting some praise for your efficiency, she doesn’t know what you are talking about. Someone has just gone spear phishing and you are their catch of the day.

Keyboard with red key marked "spear phishing" on it. When people send deceitful emails to lots of potential victims hoping to trick a few of them into offering up confidential information by directing them to fake log-in pages or other online traps, it is called phishing. When someone focuses their efforts on one specific person or, perhaps, a number of targeted people at an institution, it is called spear fishing.

Filters at USU block most phish messages but hundreds do get through and when that happens only a healthy amount of internet skepticism can protect someone from getting tripped up, according to Bob Bayn, a USU network security analyst. He said people in key financial positions at USU have been told to be on the lookout for the latest spear phishing attacks, so he believes they are alert to the possibility of such approaches.

In recent years phishers have tried several times to trip up people at USU by pretending to be the university president, a vice president, or a dean. In some cases, they have targeted specific people they think might be authorized to transfer funds but each time they have tried, so far, they have been unsuccessful.

“When the suspicious emails come in sometimes I have asked people to play along with the bad guys until they get directions on how to transfer the money or a bank account number,” he said. “That way I can notify the bank that someone is using one of its accounts to phish and steal from others. The bank can then freeze the transactions until it can double-check with the sender.”

He can’t take it for granted, however, that people will always recognize an attempt to steal credentials or money. Teaching the USU community to be cautious is never-ending part of his job because “electronic filtering is never perfect,” he said.

“We live in a nice, safe and friendly place and we trust each other,” he said, “but we’ve got to remember the internet is not the nice, safe and friendly place that we are used to living in. We have to be on guard. We have to just pause for a moment and look at everything that comes along that is at all unusual, unfamiliar or unexpected. Unexpected might include things that look familiar, such as something that is coming from a boss or an email that looks like it is from a friend.”

Spear fishers don’t always go after an institution. If someone gets your credentials without you realizing it, they could get into Banner, for example, and reroute your direct deposit checks, he said.

“The losses that are incurred when a phish is successful can be both institutional and personal,” Bayn said. “The phisher may end up being able to defraud the institution or may succeed in stealing from you.”

For more information on how you can spot phish messages read: How to recognize and report phish messages.