Phishing and spear phishing are attempts by criminals to obtain passwords or other confidential information. Sometimes phishing emails deliver malware such as ransomware or keyloggers. Phishing can come as texts, tweets or emails. At a glance, the requests appear to be authentic. Urgency or curiousity is used to get people to act because there's a deadline or package deliver, or tempting rewards like expensive prizes. Here are clues to help distinguish if the request is real or fake.
Phishing Attack Clues
- The request is unfamiliar or seems out of place
- There's pressure for you to act immediately
- It offers something too good to be true
- It asks for personal information
- Hovering over a link, it reveals an impostor website
- It is non-personalized greeting like 'Dear User' or 'Dear Friend'
- There are misspelled words, awkward grammar or punctuation
Be cautious even if the email is addressed to you. Spearphishing attacks employ relevant details to increase their believability like your name, or the name of someone you know. Context is vital in these situations.
Is the request normal?
Will your manager ask you to purchase gift cards promising to reimburse you later?
Is the request proper?
Just because your co-worker is out of town, should you fulfill their request to send them confidential data?
- Following proper procedures can protect you and the campus.
- Making phone calls verifying requests can prevent compromises.
- Extra scrutiny of email links and the context of requests can avoid malware and phishing attacks.
Phishing attacks are not limited to email. Social networks, online ads, tweets, and other online sites entice viewers to click links and some are not what they seem. So be careful what you click. With a little education and effort you can thwart phishing attacks.
Protect yourself from phishing attacks
- If in doubt, call the institution involved by using information from an account statement or the back of a credit card.
- Avoid using the information or convenient links provided – instead use your Favorites or Bookmarks or hand type the address.
- Ensure the full URL is correct – the trusted name should be displayed not an IP address, along with the appropriate domain (e.g. CSUSB.edu not CSUSB.com).
- Click on the yellow padlock icon on the status bar. Check the security certificate name matches the name of the site you trust.
- Do not open unexpected attachments
How to Respond
Now that email, social media, entertainment and storage accounts can be linked with a single password, a single compromise is capable of causing havoc. Knowing what to do if you become a victim can slow or stop the damage.
Actions after a phishing attack
- Report attacks to your service provider or institution. For campus situations - forward email as an attachment to: email@example.com
- If you clicked a suspicious link - use a different machine to change your password.
- Contact the Technology Support Center to have your machine examined.
- Reauthorize all devices.
- Consider adding a second authentication factor.
For more information about phishing go to:
How good are you at identifying a phishing attack? Do you know the key indicators? (Hint: see the list above)
Sharpen your 'phishing' identification skills by taking the following phishing quizzes. They provide examples and clues to help distinguish legitimate from fraudulent communications.