Phishing Points to Keep in Mind
Unfortunately, phishing scams are a fact of life in our connected world and recognizing malicious emails can be difficult. Below is an analysis of the email that will help you determine phishing emails in the future:
There is little risk in opening and reading email. However, opening attachments or clicking on links can be dangerous. If an email seems strange or suspicious, simply delete it. If you are not sure if an email is an attack, forward it to the Boise State Help Desk at email@example.com.
This phishing email is a form of Spear Phishing
What is a spear phish?
Spear phishing is email targeted at specific individuals or organizations in which the intention of persuading the recipients to reveal confidential information such as usernames, passwords, or other sensitive information. Unlike phishing, which involves mass-emailing, spear phishing is small-scale and well targeted. The attacker emails users in a single organization. The emails may appear to come from another staff member at the same organization, asking you to confirm or send sensitive data.
1. Notice how the bogus email has been spoofed using a compromised user account. This was a clever disguise as it appears to come from a boisestate.edu account. Notice also that it is CC’d to the email account “firstname.lastname@example.org”. If you have any suspicions about a boisestate.edu account please contact the Help Desk directly at 426.HELP (426.4357).
2. Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique to rush people into making a mistake. Look at what the message is stating. Ask yourself if it makes sense, if not it is highly likely that the email is a phishing attack.
Just because you received an email that appears to be from a trusted source or colleague does not mean they sent it. Their computer may have been infected or their account may be compromised. If an email requires you to perform an action or requests personal information including credentials, then call the email source or colleague to confirm the authenticity of the request prior to releasing any information.