Higher education institutions such as UC Riverside are prime targets for phishing, the fraudulent practice of sending communications (e.g., emails and SMS messages) that appear to be from reputable individuals or companies in order to induce people to reveal confidential information. The attacker's goal is to gain access to sensitive data and login information, install malware on the victim's device, or steal money. Phishing is a common type of cyberattack that can have devastatingly damaging consequences.

Smishing is a type of phishing that occurs via text messages. Smishing attempts targeted at the UCR community typically try to impersonate an individual in a leadership, teaching, or research role and ask unsuspecting staff, students, and faculty to perform tasks that involve money or sensitive information.

Smishing bypasses any cybersecurity controls that the UCR Information Security Office has put in place to protect the campus community. As such, it is imperative that campus users be mindful of the text messages they receive. Threat actors can spoof phone numbers, so if you receive a message that seems out of the ordinary or is out of character for the sender, please verify the message using a trusted campus communication channel.

Please know that legitimate business requests, transactions, and job offers are not sent to Highlanders through SMS or any means other than the University’s secure channels, such as UCR email and applications. If you receive any suspicious communications, please report it immediately. Phishing emails can be reported through PhishAlarm and by sending an email to the UCR Information Security Office at infosecoffice@ucr.edu. You may also report directly to the FBI Internet Crime Complaint Center at https://www.ic3.gov/. Click “File a Complaint” and then select “Other Cyber Crime.”

Protect yourself from smishing attacks by following these security tips:

• Read messages carefully. Oftentimes, spam and phishing messages will have weird spacing, incorrect spelling, and poor grammar and will ask you for personal information or request you to perform some sort of action, like logging into a website that looks legitimate but is not.
• Never click a link from a number you are unfamiliar with. Verify information from the sender via a known safe method of communication, such as email or Slack.
• Do not respond to smishing messages. Instead, report spam texts to your wireless carrier. You may also forward all spam text messages to 7726 (Note: Not all carriers offer this).
• SMS is not a secure way to share personal information, so be wary of anyone requesting this information via SMS. A legitimate business will never request information from you via text messages, unless you have “opted-in” to receive text messages from them. However, even then it’s usually just to send you information or ask for verification of services.
• If you haven’t yet done so, get antivirus software for your phone and other handheld devices and keep the software on them up-to-date.
• Remove unused apps from your devices.