As Johns Hopkins' IT team works to protect the institution from increased cyberattacks, it is asking everyone in the university community to be on the lookout for phishing scams. This type of attack uses phony websites or email messages that appear to be from trusted businesses and brands to steal personal information such as user names, passwords, credit card numbers, or Social Security numbers.
"As the techniques become more sophisticated, it becomes more difficult to tell a phishing attack from an authentic email," said Stephanie Reel, vice provost for information technology and chief information officer, and Darren Lacey, chief information security officer, in a message to the Johns Hopkins community. "Everyone in our organization plays a role in making sure our information and networks are protected."
In order to assist faculty and staff with security awareness training, Reel and Lacey said, Johns Hopkins Information Technology has licensed a phishing simulation tool called PhishME. The tool works by creating phishing attacks—using the latest tricks and tactics but with no harmful results—and sending them to a subset of faculty and staff throughout the year. If a recipient clicks on the link in the message and enters his or her credentials, a message will appear with targeted educational material about identifying phishing messages and phony webpages.
Along with this educational approach, IT recommends all employees protect themselves by remembering some Dos and Don'ts:
- Don't send passwords or any sensitive information over email.
- Don't click on "verify your account" or "login" links in any email.
- Don't reply to, click on links in, or open attachments in spam or suspicious email.
- Don't call a phone number in an unsolicited email or give sensitive data to a caller.
- Do be cautious about opening attachments, even from trusted senders.
- Do send impersonated or suspect email to IT. The address is firstname.lastname@example.org.