Don’t Take the Bait: Aggies’ Guide to Phishing
Phishing scams are on the rise at UC Davis and other higher education institutions, targeting students, faculty and staff with increasingly sophisticated tactics. Phishing is a form of cyber fraud where attackers impersonate trusted sources to trick you. Tap the links to navigate this article and protect yourself against phishing scams.
- Recent Phishing Scams
- How to Avoid Phishing Scams
- Signs of Phishing
- What to Do if You Suspect a Phishing Attempt
- Cybersecurity Awareness Month
Recent Phishing Scams
Some scammers may impersonate UC Davis departments, professors, and job recruiters to obtain sensitive information from you. They can target all sorts of information from your CAS login to personal details like your bank information. Here are some recent scams that have been reported at UC Davis:
- Fake DocuSign requests: Some closely mimic legitimate DocuSign requests. Before clicking, hover over the link to confirm it directs you to a legitimate DocuSign site.
- Fake Login Screens: Hackers may create fake login screens with the same look-and-feel as UC Davis websites.
- AI-Driven Phishing: Cybercriminals may leverage artificial intelligence to create realistic audio or video messages that convincingly impersonate trusted colleagues, supervisors, or even family members—without their consent.
Knowing how to spot a phishing scam is essential to protecting your identity, your data, and institutional information.
How to Avoid Phishing Scams
Avoid falling victim to a phishing scam by keeping the following in mind:
- Never provide your information in response to an email or text message you do not recognize.
- Never share your passwords or Duo security codes. If you receive a Duo push that you are not expecting, do not approve it. Manage and audit the devices associated with your Duo account at: https://kb.ucdavis.edu/?id=02454
- Do not click suspicious links, download attachments, or enter your password or Duo code on an untrusted website or form. Hover over the link to verify the true destination or type the URL manually into your browser.
- Verify through a second channel. If you receive a suspicious DocuSign request, email, or even a call/video that seems unusual, confirm directly with the sender using an alternative, trusted method.
- Watch for fake login screens designed to steal your information. Make sure the web address (URL) is exactly what you expect and confirm the login screen by using a trusted URL.
- If you believe your password has been compromised, reset it immediately. Learn how at: https://kb.ucdavis.edu/?id=00101
- If you come across any suspicious messages or phishing attempts, do not respond and report it to cybersecurity@ucdavis.edu
Signs of Phishing
Phishing scams often take the form of emails or websites and use spoofing techniques to look legitimate. Lately, with the use of AI some of these scams look even more realistic, using realistic voice mimicry, deepfakes, images generated to look like loved ones or people you know, and sophisticated AI-personalized emails. In most cases, however, there are some red flags that indicate whether a message is legitimate or not.
Suspicious sender
- An email may look official but be wary of messages coming from non-university domains or domains that are close to the official @ucdavis.edu, but slightly off. Independently verify by looking up the person’s email in the UC Davis Directory and reaching out to them directly.
Unverified or inaccurate links
- Hovering over the link can reveal if the link matches the source it claims to be from. Also look out for slight misspellings in the URL. Never click on any links or download attachments in an unsolicited email or message from someone you don’t know.
Urgency or threats
- Messages that pressure you to act quickly or come with ultimatums are a big red flag. Remember, UC Davis will never ask for your password or personal information via email or texts.
Poor grammar or layout
- Typos, odd formatting, or broken English may indicate that the message is not from a legitimate source.
Attachments
- Some scams might come with files attached that often contain malware. Never open files with unfamiliar formats or that appear suspicious.
Highly personalized message
- Even if a message contains personal information about you, that doesn’t mean that it’s legitimate. Bad actors can use AI and information gleaned from your social media accounts to create a scam tailored just for you. In addition, hackers can use information you share publicly to try to guess your password and security questions, so be careful about what you put online.
Maintaining awareness and caution is one of our strongest defenses against these evolving threats!
What to Do if You Suspect a Phishing Attempt
- Do not click any links or download attachments.
- Forward the message to cybersecurity@ucdavis.edu.
- If you believe you’ve interacted with a phishing email, contact cybersecurity@ucdavis.edu.
October is Cybersecurity Awareness Month
UC Davis Information and Educational Technology (IET) is partnering with the Information Security Office (ISO) to provide cybersecurity tips and information throughout the month of October for Cybersecurity Awareness Month. Learn more and test your cybersecurity knowledge at: https://iet.ucdavis.edu/cybersecurity-awareness-month