Email is an essential part or our everyday communications. Unfortunately, email fraud has become increasingly prevalent in recent years among members of the University community. Many students have received “phishing” messages, which appear to come from trusted sources but are actually fraudulent. University Student Organizations and their officers are more at risk to receive phishing emails in attacks known as Spear Phishing. This type of email spoofing fraud targets individuals within an organization to gain access to sensitive data.
Phishing is a form of social engineering. Social engineering relies on techniques such as influence and persuasion to deceive victims into breaching security and divulging sensitive information.
For most attacks to work you have to do something after reading the message, such as opening the attachment, clicking on the link or responding to the request for information. Cyber-criminals are getting better every day at making their messages look authentic so to protect yourself, keep the following in mind.
1. You can identify a phishing email by looking for messages that:
- Create a sense of urgency
- Invoke strong emotions, like greed or fear
- Request sensitive data or money
- Contain links that do not appear to match legitimate resources for the organization or person that is contacting you
2. Be suspicious of unsolicited email messages from individuals asking about internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
3. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
4. Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in an email.
5. Double-check emailed links and if suspicious contact a company or website directly before clicking a link from an email.
6. If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request.
7. Check the email headers. If the email appears to come from a legitimate organization, but the “From:” address is someone’s personal account such as @gmail.com or @hotmail.com, this is most likely an attack. Also, check the “To:” and “CC:” fields. Ask yourself, is the email being sent to people you do not know or do not work with?
8. Just because a message appears to come from a friend or someone you know does not mean the message is safe. A person’s computer may have been infected, their account compromised, or had their account spoofed in the “From:” address. If you are suspicious about a message from someone, call the person to verify if it was truly him or her that sent it.
*Always remember that legitimate companies and organizations will never ask for passwords, social security numbers, and other sensitive data via email.
Although your first instinct may be to ignore or delete suspicious emails, it is recommend that you report them to Boise State’s IT Help Desk. The email will be examined and, if necessary, the help desk customer care staff will advise you of any further steps you may need to take.
To report a phish, forward the phishing email and headers to email@example.com.
How to forward emails and headers from Gmail:
1. Open the suspected phishing email, but be careful not to follow any links or download any attachments contained in the message.
2. Click the down arrow next to the Reply button in the upper right-hand corner of the email window. From the drop-down menu that appears, click Show original. This will open a new window showing the email as a text document, with all the header information, links, and HTML markup visible.
3. Highlight and copy everything in this window. Some users may have the option to click “copy to clipboard”. Go back to the original message, and click the Forward button. Paste the information into the top of the message, and add firstname.lastname@example.org in the “To:” field of the draft email message.
4. Send the email.