Phishing scams are typically fraudulent e-mail messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed web site and ask you for private information (e.g., password, credit card, or other account updates). Phishing can also be a phone call, or text message based attack that is sent with the intention of deceiving the recipient into providing information. In all instances, the attacker can then use that information directly, such as bank account information, or indirectly, such as personal information that may provide hints about the recipient’s password. The perpetrators then use this private information to commit identity theft.
Overview of Phishing
Phishing attacks will often:
- Come from someone you know
- Contain convincing logos from companies with whom you have communicated
- Ask you to click on something
Some phishing attacks can appear as obvious and sloppy, using poor grammar and spelling. However, some people still fall for them. Other attacks are specific, personal, and may appear legitimate at first glance, making them much harder to detect. The best thing you can do to avoid becoming the victim of a phishing attempt is to familiarize yourself with the common types of phishing attacks, be vigilant in looking for common signs of phishing, and if you believe you may have fallen for a phishing attempt report it immediately.
Types of Phishing Attacks
There are different types of phishing attacks. Learn about some of the different kinds below.
Forged Sender Address Phishing
An email message sent to you by an attacker who has registered a fake domain or fake email and sends out thousands of generic requests to random email addresses. This type of attack attempts to get you to click on a link, download an attachment, or provide personal information such as email and password, banking information, etc. These types of emails are usually very easy to spot because they use email addresses like jsmith178563@gmail.com and frequently use weird grammar and spelling.
Deceptive Phishing
This type of attack is meant to trick you into believing that the email is legitimate. Attackers will attempt to impersonate a legitimate business and trick you into thinking you need to do things like provide information to keep your account safe or check on an order you purchased. What makes this email deceptive is that the email or website the attacker sends you to will appear as legitimate as possible. They will use company logos and attempt to replicate company looking email addresses such as smithj@hws.edu. The best way to detect these types of attacks is to reach out to the company through means you know are official by going to the company website via searching it in google and then emailing or calling the company to verify the situation.
Spear Phishing
Some attacks employ a personal touch in order to try and trick you. Spear phishing customizes the attack to make it appear more personal. Attackers may use public information from the university website or such as names and email addresses in order to trick you. They may find information via outside sources such as your LinkedIn or social media pages. The goal is always the same: to get you to give up personal information, accounts, money etc. A common type of spear phishing attack is one where an attacker will pretend to be someone who holds a higher position than you and ask you to run out and get gift cards for them because they are in a meeting and unavailable. The attacker will also use language to make it seem urgent and needed immediately due to some family emergency or something they forgot to do. Detecting this type of attack is much more difficult because the attacker is using information that seems at first glance to be legitimate and personal. Detecting this type of attack is much harder and one of the best attitudes you can use is to remember that emails are not urgent and you do not need to respond right away, or at all. Read the message thoroughly and pay attention to the sender name and email address. Real urgent matters require much more specific methods of being in contact such as phone calls or walking into your office and coming to find you personally.
Vishing
Phone calls are another type of phishing attack that does not rely on email. Attackers use a VoIP (Voice over Internet Protocol) server to imitate legitimate organisations in an attempt to extort personal information. Common types of imitations include things like the IRS, banks, car companies, and different types of insurance. These attacks can be easy to detect because they usually are automated messages from unknown numbers. To protect against vishing, avoid answering phone calls from unknown numbers and do not give out personal information to an automated system that you are unsure of.
How to Spot a Phishing Scam
Look: Confirm the address of the sender
Read: Is the language clear, any typos?
Review: A threatening tone is a red alert
Don't Click: Links asking for personal information should be avoided
Report: If the e-mail has any of these elements, report it to the IT Services Help Desk
Relax: You just saved your data from a scam!
Example of a Phishing E-Mail
Need additional help? Contact the HWS IT Services Help Desk.