What Is Phishing?
“Phishing” refers to an attack that uses email or a messaging service (like those on social media sites) that tricks or fools you into taking an action, such as clicking on a link or opening an attachment. By falling victim to such an attack, you risk having your highly sensitive information stolen and/or your computer infected. Attackers work hard to make their phishing emails convincing. For example, they will make their email look like it came from someone or something you know, such as a friend or a trusted company you frequently use. They will even add logos of your bank or forge the email address so the message appears more legitimate. Then the attackers send these phishing emails to millions of people. They do not know who will fall victim, all they know is the more emails they send, the greater the chance for success. Phishing is similar to using a net to catch fish; you do not know what you will catch, but the bigger the net, the more fish you will find.
What Do Phishers Want?
Phishers want personal information such as passwords, social security numbers, and banking information. There are several ways that attackers will try to acquire this information:
- Harvesting: The attacker emails you a link that takes you to a website that appears legitimate. This website then asks you to provide your account information or personal data. However, the site is fake, and any information you enter goes directly to the attacker.
- Malicious Links: The attacker sends you an email with a link. If you click on the link, it takes you to a website that launches an attack on your device that, if successful, infects your system. This gives them control of your device.
- Malicious Attachments: The attacker emails you an infected file, such as a Word document. Opening the attachment triggers the attack, potentially giving the attacker control of your system.
- Scams: Some phishing emails are nothing more than scams by con artists who have gone digital. They try to fool you by saying you won the lottery, pretending to be a charity needing donations or asking for your help to move millions of dollars. If you respond to any of these, they will say they first need payment for their services or access to your bank account, scamming you out of your money.
Avoid Being a Victim
In almost all cases, opening and reading an email or message is fine. For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are ways you can protect yourself.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company
- You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of unannounced layoffs, employee salary information or a letter from the IRS saying you are being prosecuted.
- Instead of using your name, the email uses a generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.
- The email requests highly sensitive information, such as your credit card number or password.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- The email says it comes from an official organization, but has poor grammar or spelling, or uses a personal email address like @gmail.com, @yahoo.com, or @hotmail.com.
- You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.
What to do if You are a Victim
If you believe an email or message is a phishing attack, simply delete it. In the end, common sense is your best defense. Unfortunately, you may fall victim to a phishing scam. If that is the case take action with the following:
- If you believe you might have revealed sensitive information about yourself or Boise State University, report it to the OIT Help Desk at 426-4357 or firstname.lastname@example.org.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for signs of identity theft.
Information provided via SANS and US-CERT