Cybersecurity: Recognizing and preventing phishing attacks

Phishing is still the largest cybersecurity threat facing organizations, including Michigan Medicine. With the ongoing advancement in phishing attacks, people continue to fall victim, increasing organizational risks associated with cybersecurity. 

Phishing is the use of malicious email or websites, attempting to trick you into revealing your password or other sensitive information, or to infect your computer with malware. 

Below are several types of phishing tactics you may encounter these days: 

Spear phishing 

This approach tends to target interconnected groups of people, such as social media groups or a collection of workplace employees. For example, many phishing emails sent to Michigan Medicine will appear to be from the institution itself — even including correct branding and web login screens to lure victims into entering credentials. 

Pro tip: Practice looking at the URL for Level-1 and Level-2 password, which are: 

• Level-1: weblogin.umich.edu 
• Level-2: weblogin.med.umich.edu 

Whaling 

These attacks are targeted at specific individuals, where the criminal poses as someone of authority, such an executive leader. Although these may not be as effective as spear phishing, the approach plays on the employees’ willingness to follow instructions. 

Pro tip: If a request from leadership seems outside of normal processes, reach out to the person for confirmation.   

Smishing and vishing 

Both forms of phishing use telephone instead of email.

Smishing focuses on sending text messages, asking victims to click links that take you to fraudulent websites to capture your sensitive information.

Vishing, on the other hand, is the practice of making fraudulent phone calls or leaving voice messages to lure people to provide sensitive information. 

Pro tips: When you receive a text message you are not anticipating (especially if it asks you to click a link), delete the text message. You can also block the number to avoid follow-up messages. 

If you receive phone calls asking you to reveal personal information, hang up. Many times, people will impersonate the IRS or local police enforcement. The situations they are calling for would never be handled over the phone. 

Angler phishing 

These are social media-based attacks using fake URLs and cloned websites, tweets, posts or instant messaging in order to deliver malware.  

Pro tip: Always double check URLs, and do not overshare on social media.  

Tools have been implemented to help reduce the amount of phishing emails that get through to Michigan Medicine’s workforce, but unfortunately some malicious emails still make it through. Protecting Michigan Medicine from cyber crimes is not one team or one person’s responsibility, it’s a shared responsibility across the entire organization. 

Report all suspicious emails using the Report Phishing button in Outlook (as seen to the right). 

Thank you for playing your part in preventing cybersecurity attacks at Michigan Medicine!