What is Phishing?
Phishing emails are malicious attempts to obtain sensitive information, like usernames, passwords, banking information, etc. Entering information into a website linked out a phishing email or website can lead to identity theft and compromised accounts. Phishing emails can also contain viruses or other unwanted software.
Targeting specific people, groups, or departments is known as "spear phishing". The messages may be tailored to a specific job function or "spoof" a known colleague or supervisor. An example of a spear phishing email would be an email that appears to come from or simply references your manager's name that requests that you open a file or click on a link. When in doubt, contact the person that you know directly to ask if they sent/shared that file/email.
Phish Alert Button
The Phish Alert Button (also labeled as "Report to OU IT") is the most effective way to report suspected phishing emails to the OU IT Cybersecurity team. Reported emails are removed from your inbox and analyzed to see if they might be a cybersecurity threat.
Your use of the button gives a warning to the IT Cybersecurity team of possible phishing attacks and malicious emails. With your warning, the team can take effective action to prevent security or network compromise, including by quickly removing malicious emails from all university inboxes. If you receive an email you are concerned about, please use the Report to OU IT button and our team will investigate.
The Phish Alert Button is associated with KnowBe4, the OU IT Cybersecurity Learning Management System. In addition to protecting university data as well as allowing for quick removal of malicious emails from all university inboxes, utilizing the Phish Alert Button counts toward your KnowBe4 Learner Dashboard score and badges.
The Phish Alert Button Icon
Look for the icon below on individual emails within Outlook. When you suspect an email might be phishing, report it by clicking the button!
If you do not see the Phish Alert Button in the version of Outlook that you are in, please visit the Phish Alert Button article for steps to add the button. Please note - the Phish Alert Button is not available within other email clients such as Mac/Apple Mail app, Samsung Email app, Thunderbird (app or browser), Windows Email and Calendar, etc.
Awareness and Training
OU IT will often reference the term "Human Firewall" in correlation with cybersecurity training modules. "Human Firewall" comes from the idea that security is not just a technology issue but rather a people and process issue. Cybercriminals are increasingly using people-centered attacks that rely on social engineering and human interaction - "the human factor" - the instincts of curiosity and trust that lead the unaware user to click on fake websites, download and install malware, move funds to fraudulent accounts, and more.
The Human Firewall program engages end-users by using the KnowBe4 training tools to focus attention on cybersecurity and help build digital self-defense skills through real-world scenarios. This includes understanding what these attacks look like. Faculty, staff, students, affiliates, and all other @ou.edu/@ouhsc.edu email account holders are sent simulated phishing emails to help users recognize red flags more quickly through purposeful repetition. When you suspect a phishing attempt (real or simulated), use the Phish Alert Button in Outlook. This action warns the OU IT security team of possible phishing attacks and malicious emails. Please note - users cannot opt out of these simulated phishing emails or required cybersecurity training modules (described below).
Everyone is responsible for cybersecurity, making formal training and awareness programs a foundational component of any Cybersecurity Program.
- All OU Staff, Faculty, and Students must complete annual Phishing Awareness training.
- All OU Staff, Faculty, and Students that fail a scheduled OU IT phishing simulation must complete additional required Social Engineering Awareness training.
- OU Staff, Faculty, or Students found to violate University Information Security Policy must complete required Information Security training to be named at the time of Incident and commensurate with the Incident type.
General Email Safety Tips
- Only use your @ou.edu email address for University business, not personal business such as banking, online purchases, social media, etc. Not only does this keep your OU account more secure, it makes transitioning away from you @ou.edu/@ouhsc.edu email address much easier when you are no longer a student/employee for OU.
- OU IT will NEVER ask for your log in information via email. If you reach out to OU IT to request account assistance, we may ask for some information in our response, but will never ask for your password.
- Financial institutions will NEVER ask for your information through email. If you receive an email from them soliciting information, call them directly or visit their website through your browser (do not click any links in the email).
- If you suspect anything malicious, attempt to call and verify with the sender.
- If you receive an email with a link or attachment that you were not expecting, proceed with caution. Be cautious of attachments.
- Be sure to check the sender’s address – if expecting an OU address be sure that it is a valid @ou.edu email address.
- If your email client (app/program) does not automatically display the sender's email address, but only their name, hover over or click on the name to reveal the email address.
- Be aware that websites beginning with “http”, as these are not encrypting any sensitive information that is entered on them. Website beginning with “https” are encrypting it.
- Investigate the validity of a website if you receive a security warning through your browser.
- Change your password immediately if you have accidentally responded to a phishing email. You can change your OUNetID password by visiting one.ou.edu – and see when it was last changed.
- If you receive an email asking you to purchase a gift card or something similar, always call the sender and verify that they really sent it. Use a phone number that you have or can locate on a vendor's actual website, not a phone number include in the email you received.
- Be alert when reading emails, especially when information is requested.
Spam
- Spam emails are defined as unwanted, mass emails. Spam emails are not necessarily malicious in nature (like a phishing email), but they are unwanted, not requested, and generally sent to mass user lists.
- More than 90% of the e-mail messages sent to campus are spam. OU IT blocks about 85% of all messages as spam. However, we cannot block all spam at a campus-wide level without increasing “false positives” (legitimate messages that get tagged as spam).
- Not all unwanted emails are spam or phishing attempts; they might simply be advertisements.
- Attempt to unsubscribe from newsletters and advertisements to clear up your inbox.
- The safest way to unsubscribe from advertising emails is to go directly to the website mentioned to adjust notification settings.
- If the advertisements you are receiving are from a known vendor with which you have an ongoing business relationship/account, you can generally locate an "unsubscribe" or "notification preferences" link near the bottom of the email.
Blocking Unwanted Senders
You can use the junk mail settings in Outlook to further control who can or cannot send you emails. Select an email in your inbox, right click, then select "Block" and "Block Sender".
Proofpoint
OU IT has implemented an email security gateway – Proofpoint – to help improve email security and protect users from spam and phishing emails.
The Proofpoint Messaging Security Gateway is an application that provides spam, virus, and content policy infrastructure to OU’s email applications. All incoming email is inspected by the Proofpoint Messaging Security Gateway as soon as it arrives at our campus. Messages that contain a virus, spam, or inappropriate content are sent to a Quarantine area.
For more information, see this article.