What is Phishing?
Phishing is a scam which attempts to entice email recipients into clicking on a link that takes them to a bogus website. The website may prompt the recipient to provide personal information such as social security number, bank account number or credit card number, and/or it may download malicious software onto the recipient’s computer. Both the link and website may appear authentic, however they are not legitimate.
How does it Work?
Have you received an email, an instant message, or another communication that just did not seem right, even though the communication appeared to be from a reputable organization? This communication could very well be a phishing scam. It’s important to note that in the past, phishing scams were often more easily detectable because of misspellings, typographical errors and blatantly bad grammar; however, they are increasingly more difficult to detect because they often appear so legitimate.
Phishing scams try to “bait” the recipient in a number of ways: the malicious email could include notice of an account cancellation, a request to verify/update personal information, a notice of a purchase that you did not make, or just about anything else that would get you to respond to the communication. The types of messages used in phishing are expanding almost every day, so it is important to be cautious of any communications you receive.
If the email communication, with its enticing subject line, is the “bait,” what is the hook? The hook is getting you, the user, to take some action that enables the phisher to obtain information or otherwise gain access. You may be “tricked” into visiting a website, which appears to be a legitimate organization’s website. Once at that site, you may be asked to enter personal information. Another method of attack may be to get you to open an attachment in an email, upon which malicious code, such as a Trojan horse will be installed onto your computer. Other variations include a telephone call, in which the phisher will ask you to provide personal information. Once the phisher has “hooked” you, they may use the information to open accounts in your name, access your bank account or make purchases using your credit card. There is also a type of phishing attack known as “spear phishing” where the attacker targets specific individuals by name or organizations. For example, an email invitation to attend an event that may be of interest could be sent to an organization’s employees. When an employee clicks on the link contained in that email, malware is downloaded to the employee’s computer. The attacker may be targeting specific employee information, such as user names and passwords, or proprietary organization information.
How do I Know it is a Phishing Scam?
- If you receive an email appearing to be from a legitimate business, requesting you submit personal information, it is most likely a scam. Legitimate businesses do not send emails requesting personal information.
- Does the email ask you to “verify your information”, “re-validate your account”, or to “confirm your user-id and password”?
- Does the email reference any consequences should you not verify your information?
- Use an Internet search engine to research the subject line of a suspicious email to determine if that subject line is a known phishing scam.
What Can I Do?
- Do not ever provide login credentials or other personal information via email. Legitimate companies and organizations will not solicit your login credentials via email in an attempt to validate, re-validate, or otherwise confirm your account.
- If you receive an email that is from a familiar company or organization and has a link within it that navigates to a login page. Do not use the link. Rather, open your web browser and navigate to the ‘known good’ website for the organization and login from the ‘known good’ website.
- Be cautious about all communications you receive. Think before you click.
- If the communication looks too good to be true, it probably is.
- If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at firstname.lastname@example.org.
- Do not click on any links listed in the email message and do not open any attachments contained in suspicious email.
- Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.
- Ensure that your computer is up-to-date on all patches.
- Ensure that your antivirus program is installed and up-to-date.
- Use bookmarks in your web browser for the organizations with which you regularly communicate to limit the chances of being redirected to malicious sites.
- If you think you have been scammed, visit http://www.ftc.gov/idtheft.
- Look for unauthorized charges or withdrawals on your credit card and bank statements/bills.
- Review your credit report – visit http://www.ftc.gov for a link to request an annual free credit report.
For more information on phishing, please visit the following sites:
- AntiPhishing Work Group: www.antiphishing.org/
- OnGuard Online: www.onguardonline.gov/phishing.html
- Federal Trade Commission:
- National Consumer League’s Internet Fraud Watch:
- US CERT: www.us-cert.gov/cas/tips/ST04-014.html
- WatchGuard Video: www.watchguard.com/education/video/play.asp?vid=budhasmail
- National Phishing Webcast- October 9, 2008 2:00pm Eastern: register at www.msisac.org
For more monthly cyber security newsletter tips visit:
The information provided in the Security Tips Newsletters is intended to increase the security awareness of Southeastern’s students and employees. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve Southeastern’s overall cyber security posture.
Recent Phishing Email Examples: