Phishing and cyber threats: recognizing them to defend yourself

Phishing attacks are based on social engineering techniques in which the attacker attempts to gain the user’s trust by disguising the communication as legitimate. An attack typically follows a recurring sequence:

• Receipt of a message that appears to come from a trusted source (e.g., IT services, administrative offices, well-known platforms, or a colleague)
• Induction of urgency or pressure on the user (“account expiring”, “immediate verification required”, “Have you seen this? Truly amazing J”)
• Inclusion of a link or another element (e.g., an attachment, QR code, etc.) that redirects to a counterfeit website or prompts the user to share information

The goal is to trick the user into entering sensitive data such as their login credentials or credit card number, which are then captured by the attacker. Once an account is compromised, it can be used to access institutional services, send further fraudulent messages, extend the attack to other users, and so on.

Phishing exploits user accounts as access points to digital services. Any user can become an attack vector, regardless of their role.

The compromise of a single account can have far-reaching consequences, including:

• Unauthorized access to services and data
• Sending fraudulent emails from institutional addresses (internal phishing)
• Distribution of malware or further attack campaigns
• Use of the account as an entry point to other systems

Access to an email account is not usually the attacker’s ultimate objective, but rather a starting point. It can be used to gather information about other services used by the victim, intercept communications, and exploit password recovery mechanisms to compromise additional accounts, including external services such as online platforms or banking systems.

Some recurring indicators can help identify suspicious communications:

• Unusual sender: email addresses that resemble, but do not exactly match, legitimate ones (e.g., variations in the domain name or display name).
• Urgent or intimidating tone: messages that pressure recipients to act quickly without performing proper verification.
• Inconsistent links: URLs that do not match the expected domain. Before clicking, users should verify the actual destination by hovering over the link.
• Inappropriate requests: legitimate organizations do not request passwords, credentials, or sensitive information via email or messaging platforms.
• Errors in the content: grammar mistakes, formatting issues, or awkward translations that are inconsistent with official communications. Although this indicator is becoming less common due to attackers' increasing use of AI, it can still be a warning sign.
• Unexpected content: unsolicited messages, especially those containing attachments or requests for immediate action.

The presence of one or more of these indicators should raise suspicion and prompt users to verify the legitimacy of the communication through official channels before taking any action.

Adopting conscious behaviors significantly reduces the risk of compromise:

• Do not interact with suspicious content: avoid clicking links, opening attachments, or scanning QR codes from unexpected messages.
• Always verify the sender and context: when in doubt, check through official channels (e.g., institutional website or direct contact).

In addition, it is always good practice to:

• use strong and unique passwords for each service
• enable multi-factor authentication (MFA) wherever available
• keep devices and applications updated to reduce exploitable vulnerabilities

Prompt reporting of suspicious messages or unusual behavior is a fundamental element of overall security.

It is important to report:

• suspicious emails and messages received through any channel (email, SMS, messaging apps, QR codes, etc.)
• unrecognized logins or activity on your account

Reporting helps to:

• protect other users from similar attacks
• quickly activate technical countermeasures (e.g., blocking malicious links or domains)
• update detection and filtering systems

Every report contributes to strengthening the security of the University.

In case of doubt or suspicion, it is therefore always advisable to stop the action and contact the University IT support at 5050@polito.it.

Cybersecurity is an ongoing process that requires attention and responsibility from everyone. Collaboration between users and IT services is essential to prevent incidents and protect the institution’s data and services.

FAQ: Why are universities frequent targets?

Academic institutions manage a large number of users, heterogeneous data, and open, collaborative infrastructures. This increases the attack surface and makes centralized security control more complex.

FAQ: What can an attacker gain from accessing a university email account?

Often, the goal is not the university services themselves, but rather using the information contained within them for external services (for example, using a university email account to access a bank account through password recovery mechanisms).

FAQ: Can an email be dangerous even without links or attachments?

Yes. Some attacks rely solely on direct interaction (social engineering), aiming to obtain information or build trust for later attacks.

FAQ: What does “compromised account” mean in practice?

It means that an unauthorized party has access to a user’s credentials and can:

• read or send emails on their behalf
• access institutional services
• use the account to attack other users or services

FAQ: How can I tell if my account has been compromised?

It is not always immediately obvious. Some signs may include:

• login activity from unusual locations
• emails sent that you do not recognize
• password or settings changes you did not make

If in doubt, it is important to contact IT support immediately.

FAQ: Why are phishing messages becoming more convincing?

Attackers are using increasingly sophisticated techniques, including:

• visual replication of legitimate services
• use of information collected from public sources
• language consistent with institutional communications
• use of AI to generate content

FAQ: Is multi-factor authentication enough?

It significantly reduces the risk of compromise, but does not eliminate it. It remains essential to verify the legitimacy of communications and maintain user awareness.

FAQ: What happens after I report a suspicious email?

Typically, the security team:

• analyzes the message
• blocks malicious domains or links
• assesses the spread of the attack
• notifies other users if necessary
• updates protection systems

Reporting therefore contributes to collective security.

FAQ: Does using personal devices increase the risk?

Not necessarily, but devices that are not updated or lack adequate security measures (system updates, antivirus) may be more vulnerable.