Avoid sending bulk email that looks “phishy”
If your department sends bulk email, UC needs your help!
Phishing attacks—emails intended to fool the recipient into clicking on bad links or revealing sensitive information—are the number-one cybersecurity threat to UC.
For this reason, UC expends considerable effort training the UC community to recognize and avoid opening or responding to emails that appear “phishy.” These malicious emails have certain characteristics, including:
- Non-UC sender email address
- Sense of urgency, which necessitates immediate action
- Incentivizing action via gift cards or other rewards
- Web links (URLs) that are not UC-related
- Usage of shortened web links (aliases for redirection of long URLs)
Legitimate but phishy-looking bulk emails are often sent from UCOP departments and suppliers to colleagues around the system. Many times, they are sent from non-UC email addresses, which makes them seem even more suspect. (As an example, some staff have been confused about the employee engagement survey legitimately administered by Wills Towers Watson.)
This situation is problematic: If departments or their vendors distribute phishy-looking email, well-trained UC staff often delete the message without reading it. Obviously, that does not serve the department’s goals.
Legitimate but phishy-looking email also creates confusion for our security-aware staff. Such messages can “re-train” staff to trust email and fall victim to a phishing scam. In this way, legitimate but phishy-looking email undermines UC’s cybersecurity training investments.
How you can help
First, please review best practices for sending bulk email. A few quick tips are:
- Explain and provide context for the message.
- Include a method for recipients to verify the email.
- Do not link to non-UC websites.
- Share these best practices with any vendors that send bulk email on your behalf.
Second, please alert the UCOP IT Service Desk (firstname.lastname@example.org) two weeks before distributing any bulk emails. With advance notice, ITS can quickly field any erroneous phishing reports.
For questions and more information, please contact Jenn Bejaka.Tags: cyber security, ITS, phishing, spam email