What is it?
Phishing (pronounced "fishing") is probably the most common form of social engineering we see at the University. Phishing is a kind of identity theft that is growing in popularity amongst hackers. Phishing emails will typically contain a statement that something is going to happen to your account if you don't act now, which usually involves clicking on a link to a page where you are requested to provide your username and password and sometimes more. Phishing is using email or social skills (social networking) to trick you into providing personal/financial information, most commonly passwords and credit card numbers, to gain access to your accounts and steal more data or money. By using fraudulent websites and false emails, perpetrators attempt to steal as much information as you are willing to give them. Attackers will try to fool you into clicking on a malicious link or open a malicious attachment in an email. Be very suspicious of any email, text, phone call, or online message that has bad spelling or addresses you in a generic way, has a sense of urgency, or requests personal information. Phishing emails are a weapon to harm your system, your organization, and steal personal information to harm you. Protect yourself by learning to to recognize a phishing email.
Another variant of phishing is Spear Phishing, which is targeted towards a specific individual, position, organization or business; likely to obtain confidential information or higher level credentials. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
Also, Whale Phishing is a term used to describe a phishing attack that is specifically aimed at wealthier individuals. Because of their relative wealth, if such a user becomes the victim of a phishing attack he can be considered a “big phish,” or, alternately, a whale.
Be sure you don't focus on just email phishing attacks, but also other methods of phishing which include phone calls, texting, social media, and even fake news.
If you think you have received an email that you think is a “phish”, the tips below can keep you from taking the bait and getting hooked.
Receiving the Email
- Know the online companies you deal with. When a suspicious email arrives in your inbox - THINK: it could be fraud, it's definitely spam, and it's not for you. Use the options to mark as Phishing or Spam and then Delete it!
- Look carefully at the subject line. Example: Chase Bank will never send you an email headed " _ChaseBank _account _update ACT-NOW ". These messages may sneak through your spam filters because they appear to come from a reputable source, but that doesn't mean it's really from Chase Bank. Your bank will never ask you to send your passwords or personal information by email. Some emails will trick you into thinking they are from your boss, co-worker, friend or family. Check the full email address to validate the email. No one from work should be sending you any emails from another domain. Call the person directly and see if they sent the message. If you are unsure send the message to the security mailbox and we can investigate it for you. Think before you click should be your mantra.
- Never respond to the email or click the link in the email, as it might direct you to a fraudulent website. If you have the slightest doubt, call your bank directly for clarification. A phishing email may claim to be from a legitimate company never click the link to that website in an email because it may look exactly like the real website but it could be fake. Go to your bank's website directly never click a link in an email that you are not sure is real or fake.
- Learn to identify suspicious emails. Hackers will duplicate the image of a real company; they can copy the names of a company or an actual employee name; they include sites that are visually similar to a real business, and they promote gifts or the loss of an existing account.
- No legitimate organization will contact you from an address that ends ‘@gmail.com’.
- Look at the email address, not just the sender!
- Is the domain name misspelled? This is a clear signal that it is a phishing message.
- The email is poorly written. Look for grammatical mistakes not just spelling errors.
- Phishing emails come in many forms, but the one thing they all have in common is that they contain a payload. Suspcious links and attachments are a clear indication of a phishing message. If the destination address doesn't match the context it is suspicious link.
- Unfortunately, many legitamate and scam emails hide their destination address in a button, so it's not obvious wher the link goe to. Do not click buttons. On a computer, you can hover your mouse over the link without clicking and the destination address will appear in a small bar along the bottom of the browser window, usually in the bottom left side. On a mobile device, hold down on the link and a pop-up will appear containing the link without launching the link. Just don't tap it.
- The message creates a sense of urgency. Act now or something will happen. Hackers prey on human nature to respond. Reread the message and don't panic. Call your boss or coworkers to validate urgency.
Reviewing the Email
- Understand how the companies you deal with want to interact with you.
- Practice safe browsing.
- Be sure to thoroughly read emails that say they are from companies you know.
- Hover over email addresses and the links with your mouse cursor and verify them.
- Never enter your personal or credit information into a form in an email.
- Most "phishing" emails are not personalized.
- If it seems too good to be true, it probably is;
- Hover your cursor over links in messages to find where the link is actually going; Do not click the link
- Look for misspellings and poor grammar, which can be good signs a message is a fraud;
- And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).
Uncertain that the email is phishing?
- Check whether the email was authenticated by the sending domain. Open the message and click on the 'show details' icon below the sender's name. Make sure the domain you see next to the 'mailed-by' or 'signed-by' lines matches the sender's email address.
- Make sure the URL domain on the given page is correct, but do not click on any images or links before you verify that you are being directed to proper pages within the site. For example, the Gmail URL is http://mail.google.com/ or, for even more security, https://mail.google.com/. Although some links may appear to contain 'gmail.com,' you may be redirected to another site after entering such addresses into your browser. If unsure contact ISO office for validation.
- Always look for the closed lock icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password.
- Check the message headers. The 'From:' field is easily manipulated to show a false sender name. Learn how to view headers.
- If you're still uncertain, contact the organization from which the message appears to be sent. Don't use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address.
- If our system flags a message as phishing or spam, but you've validated the source from which the message originated, click the down arrow next to Reply at the top-right of the message pane, and select Report Not Phishing to let us know the message is legitimate. This removes the filter for that message.
- For more information on how to handle unwanted or suspicious email, visit Unwanted or Suspicious Emails.
- Enhance the Security of Your Computer - Use and maintain your email protection software for spam blocking, fraud blocking, and anti-virus.
- Enter Your Sensitive Data in Secure Websites Only (HTTPS:)
- Periodically Check Your Accounts- Read your bank statements - every one, every month to ensure your charges and debits are correct. Stay vigilant and report any suspicious activity immediately.
- Have the Slightest Doubt, Do Not Risk It
- Get informed and stay informed about the evolution of current Malware - Here are some links that can help you learn what is out there:
- Purchase Identity Insurance - just like having home insurance, you can purchase identity insurance
- Additional Information:
If you receive a message that our phishing detection system doesn't pick up on, click the down arrow next to Reply at the top-right of the message pane, and select Report Phishing to send a copy of the message to the Gmail Team.
You may also forward a copy of the message to the IT Service Desk, firstname.lastname@example.org. If possible send the message header with the copy of the email.
Message headers contain tracking information for an individual email, detailing the path a message took as it crossed email servers. To get the message header information just follow these steps: Message Header
What if you responded?
If you entered your WSU account or personal information as the result of a spoof or phishing message, take action quickly.
- Work Message event:
- Send a copy of the message header to our ISO office email@example.com or the IT Service Desk, firstname.lastname@example.org.
- Change your password immediately!
- Open a help desk ticket with the Service Desk to have your device checked.
- Take additional training to get better educated on how to spot a phishing email.
- Personal Message event:
- Send a copy of the message header and the entire text of the message to the Federal Trade Commission at email@example.com.
- If you entered credit card or bank account numbers, contact your financial institution. Change your passwords
- If you think you may be the victim of identity theft, contact your local police.