Several UiB employees have recently been the subject of attempted fraud online. The IT department asks all employees to be aware.
Recently, new attempts at «phishing» and financial crime against employees at UiB have been identified. This happens when employees receive e-mails that pretend to be from another employee at the university, and preferably a superior, but with an e-mail address that does not belong to UiB. In the message, you are asked for a service – to buy an Apple gift card.
Unfortunately, the IT department has examples of employees being tricked into buying Apple gift cards and sending the codes for the gift cards to what they think is a colleague by replying to the fake email. Unfortunately, the codes for the gift cards fall into the hands of fraudsters who resell them.
In Outlook on PC/Mac, both display name and e-mail address are displayed, as in the example below:
If you read e-mail on a mobile phone, which has become more and more common, you have to hold your finger on the display name until the e-mail address part is displayed.
The security group at the IT department has fixed routines for handling and stopping such e-mails daily within normal working hours, but we ask our employees to be aware and vigilant. Fake e-mail messages can be sent to postnuke@uib.no. If you have any questions, contact BRITA.
The chief information security officer at UiB has the following «never-do-rules» to prevent unfortunate incidents that could possibly also bring damage to UiB as an organisation:
- Never do anything involving money as a response to e-mail/text messages without checking whether the person in question has actually contacted you about this. This means that you never answer the message, but you rather contact the person via channels you are used to contacting them.
- Never provide login information, even if someone asks for it, regardless of who they pretend to be. IT deparments and other authorities never do this, because it is a serious breach of information security.
- Never provide credit card details over a phone call that you have not initiated yourself, and as far as possible use online services instead.
In addition, the following habits will save you and UiB from risk and a lot of follow-up work:
- Always a few extra seconds to check the address on links before clicking. On PC/Mac, hold the mouse pointer over the link; on a mobile phone, hold your finger until the link address appears. All links to, for example, UiB help start with: https://hjelp.uib.no.
- Always check the sender’s address if you open an attachment in an e-mail.
- Always use extra login steps corresponding to what you are used to at UiB for all services that offer it (for example, private e-mail service such as gmail, social media).
- Enter the web address of organizations yourself that ask you to log in rather than using a link provided in an e-mail, unless you are not directly waiting for an e-mail for a specific purpose (for example used «forgot password» or “confirm e-mail address” function on a website) and that e-mail arrives within reasonable time. If you do not know the exact website address of the organization in question, then use Google search or another search service in the browser. Then you know you’ve come to the right website and a something fraudulent one.