Kayla Onyango said she’s had at least three phishing attempt emails sent to her Pitt email account since the beginning of the fall semester.
“I probably receive an email every month or so. It’s weird because they always look so real, I almost fall for them every time,” Onyango, a first-year finance major, said. “Sometimes they say things like ‘Your account is going to be deleted,’ or sometimes it’s ‘your package is missing.’”
Phishing attacks — realistic-looking emails that attempt to gather sensitive information from receivers, typically bank information — have become an ongoing issue at Pitt this academic year. Pitt IT is taking measures to combat these attacks, but it’s equally as important for students to know how to recognize and avoid them, according to John Duska, interim chief information security officer.
Onyango recalled when she received one of the emails and entered her bank information into a site that claimed to be UPS.
“I got this email that said my package had been lost, and I’d have to pay for it to get sent to the correct address,” Onyango said. “I entered my payment info, and I ended up having to cancel my entire debit card and file a claim with my bank. I still get emails like that sometimes, but now I just delete them.”
Onyango is not the only student who claims to have seen several phishing attempts in their Pitt email inbox within the last semester. Kayla Parks, a first-year economics major, said she has received emails similar to the ones Onyango reported.
“Some of them are super obvious. Like they’ll say ‘act now’ in all caps or something like that,” Parks said. “But a lot of them are really hard to decipher. I try to ignore anything that looks a little suspicious.”
Parks said she has received emails almost every month during her time at Pitt.
“I’ve probably received four or five,” Parks said. “The one that scared me the most said that my whole Pitt email account would be deleted unless I followed a link. Luckily, I did not click on that link.”
Duska explained how these attacks persist in such large quantities.
“More than half of all emails received by Pitt are considered potentially malicious and blocked,” Duska said. “Even though we are blocking a large number of emails, no filter is 100% reliable, so we continue to have phishing attacks that make their way into Pitt mailboxes.”
An article posted by Pitt IT in July 2023 provided some things to look for in a suspected phishing email, such as file attachments, links and prompts asking receivers to share their Pitt username and password. The article encourages students to forward phishing emails to [email protected] instead of deleting them.
“Although your first instinct may be to ignore or delete suspicious emails, we recommend that you report them to our security team. We will examine the email and, if necessary, advise you of any further steps you may need to take,” the article states.
Duska explained that most of the phishing attempts students receive are “not of great risk.”
“Fortunately, most phishing attacks do not carry dangerous payloads like ransomware. Most of the phish we see are scams or simply aim to find more victims to continue propagating more phish,” Duska said. “However, we always want to do more to minimize the impact of these attacks.”
Duska said Pitt IT has taken two “major steps” to decrease the risk of phishing attempts in Pitt email accounts.
One measure is multifactor authentication through the Duo App, which all students must use to sign into their Pitt accounts.
“Logging in with Duo is required when a user allows or changes access to Pitt email on a device,” Duska said. “It is important to never accept a Duo prompt when you did not initiate a login. That means an unauthorized person is trying to log in to your account.”
The second measure Pitt IT has taken is security awareness training, which they implemented in the fall semester of 2023.
“This course was designed specifically for students. All students should take this course to learn how to protect themselves from phishing attacks and other cyber threats,” Duska said. “Pitt IT also offers a security awareness course called Phishing Foundations. It’s a 15-minute course that teaches how to recognize and report phishing attacks that you receive.”
Duska’s recommendation is to “think before you click.”
“If an email looks suspicious or an offer looks too good to be true, it’s probably a phish,” Duska said. “Never interact with any suspected phishing emails. Report them to Pitt IT or forward them to [email protected].”