OIT releases updated phishing guidance, including vigilance for Microsoft Teams

Phishing is when internet attackers impersonate someone or something you know to get you to disclose sensitive personal or University information, such as your password or credit card details. These attackers are constantly evolving their methods and tactics in the hopes that individuals will not recognize their messages are fraudulent. 

Often, we talk about phishing occurring via unsolicited or unexpected email messages, but the Office of Information Technology (OIT) reminds you that phishing messages can also be received via text messages, phone calls, or even collaboration tools such as Microsoft Teams. In fact, several companies have recently issued warnings of receiving sophisticated phishing attacks via their Microsoft Teams platforms. Similar to email phishing, their employees received messages from unfamiliar senders requesting that they visit a link, download a file, or reply to the sender with sensitive information.

While not every unsolicited message is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it is legitimate message or not. A good rule of thumb is to ignore and delete the message if it has two or more of the suspicious elements discussed below.

In the event you receive unexpected Teams messages from unfamiliar senders do not engage with messages that contain the following:  

• Messages from non-OHIO senders. Hover over a sender’s name or profile image to verify that they are a legitimate OHIO faculty, staff, or student. If they are not, proceed with extreme caution. 
  • Pay special attention to variations of "@ohio.edu" email addresses. For example, a cybercriminal might use an "@ohio-edu.org" email address.
• Offers that are too good to be true. If it sounds too good to be true, it probably is. For example, part-time job scams often offer to pay an exorbitant amount of money for a simple task. 
• Requests for personal or financial information. Don't reply to messages requesting this information. 
• Urgency or quick deadlines. The attacker will try to make the recipient believe they need to act quickly and create a sense of panic to try and prompt swift action.   
• Links to websites that don’t begin with “https”. Always be cautious when an unfamiliar sender is asking you to click a link. The “s” in “https” stands for secure. Never sign into websites that aren't using https in the URL. 
• Misspelled words and bad grammar. A legitimate sender would proofread and fix these errors before sending. 

If you receive a message that you suspect is phishing, please alert security@ohio.edu. If the Information Security team confirms that the message is malicious, they will post it to the Phish Bowl to warn others in the Ohio University community.  

To learn more, review OIT’s guidance on identifying malicious messages and remember that phishing can occur through any communication mechanism, not just email.