In order to raise awareness of current phishing scam tactics the Berkeley Lab Cyber Security team will begin sending emails to the Berkeley Lab employees that simulate real phishing attacks. During the initial phases of this project simulated phishing emails will only be sent to list of users who opt-in to receive them. Information about individual responses will NOT be shared with supervisors or HR.
The goal of this simulated phishing campaign is to help you to learn how to spot a phish and report them to the Cyber Security team to block future attacks.
Opting in
What to do when I see a phishing email
What is phishing?
Spam, Phishing, Targetted Phishing
Phishing
If you receive a phishing email, please report it to [email protected] and use our spam reporting procedures to send the spam to our anti-spam vendors.
Phishing is an attack that attempts to acquire sensitive information, such as usernames or passwords. Phishing attempts frequently attempt to trick you into visiting an invalid website. For example, many phishing attempts redirect you to sites that appear to be eBay, Citibank, or PayPal, but are actually not. The phishers are trying to trick you into typing your username, password and other sensitive information into these invalid website's. The phishers would then steal your username and password to use on the real eBay, Citibank, or PayPal.
Targeted Phishing
If you receive a phishing email, please immediately report it to [email protected]
Cyber criminals are using sophisticated targeted phishing attacks to compromise computers at Berkeley Lab. The attack emails refer to familiar scientific projects, conferences, or experiments and may appear to come from colleagues, your supervisor, or even lab management. The attackers craft the messages to trick you into clicking a malicious attachment or link. Did you know a single click can compromise your system? Unfortunately, you cannot count on antivirus software to protect you from these attacks since the malware is designed to avoid detection. This is a hard problem.
The best defense for these attacks is to be aware of the attack methodology, remain vigilant, and report anything suspicious. If you receive an email that looks suspicious, asks for information or action, and is specifically targeted at you in the context of your affiliation with Berkeley Lab, UCB, UC, or DOE, please forward it as an attachment to [email protected]. Computer Protection Program is interested in anything that falls within the category of "targeted social engineering".
See the social engineering page for more information.
----
Phishing is a type of attack carried out in order to steal usernames, passwords, credit card information, Social Security Numbers, and other sensitive data by masquerading as a trustworthy entity. Phishing is most often seen on campus in the form of malicious emails pretending to be from credible sources such as UC Berkeley technology departments or financial organizations related to the university.
By tricking campus users into giving away their information, attackers can:
- Steal money from victims (modify direct deposit information, drain bank accounts)
- Perform identity theft (run up charges on credit cards, open new accounts)
- Send spam from compromised email accounts
- Use your credentials to access other campus systems, attack other systems, steal confidential University data, and jeopardize the mission of the campus
The goal of most Phishing emails is to trick you into visiting a web site in order to steal your CalNet credentials. Attackers will setup web sites under their control that look and feel like legitimate web sites. Often the Phishing emails will have an immediate call to action that demand you to "update your account information" or "login to confirm ownership of your account". If you enter your CalNet credentials into these illegitimate web sites you are actually sending your CalNet username and password directly to the attackers.
Why is this necessary?
How will it be implemented?
How can you avoid phishing scams?
Training and Resources
Examples:
Opt-in
