Pitt IT implements new measures to prevent phishing attacks

In light of a recent barrage of phishing and scam emails sent to student and faculty accounts, Pitt IT is implementing new security measures to help curb the problem. 

A phishing email is defined as a fraudulent email sent to gain sensitive information. The University has received an increase in phishing attacks this semester, according to the University Times. As a result, Pitt IT is implementing new policies to prevent and educate the Pitt community from falling for these scams. 

Anyone who falls victim to a phishing email is enrolled in IT’s phish security training, which consists of a 15-minute educational video. After the training, the individual is also enrolled in a phishing simulation program, where IT sends them “safe,” or simulated, phishing emails as tests for several months.

John Duska, Pitt’s interim chief information security officer, said the new measures will help train individuals to better recognize phishing scams, and keep the Pitt community safe. 

“That’s an exercise to help them recognize phish, and we can track their progress,” Duska said. “Secondly, we enable modern authentication, which is a fancy way of saying multi-factor authentication or a Duo (mobile device app verification) is required anytime a user sets up or changes access to Pitt email on a device.”

IT has also expanded anti-phishing filtering rules to all pitt.edu emails, rather than just external emails. 

Additionally, Pitt IT has expanded the definitions of phishing emails to help further educate the Pitt community. 

• Quishing (being sent a malicious QR code) 
• Whaling (phishing that targets the “big fish”/higher-ups in the executive suite)
• TOAD (telephone-oriented attack delivery, which uses email to try to get you to call back with personal information)

Anne Heitke, a senior analyst with Pitt IT, said while measures are being taken to prevent further phishing attacks from happening again, individuals should still be careful. 

“The best security against social engineering is you,” Heitke said. “You can be the biggest security tool out there.”