Phishing – a word that strikes fear in the heart of anyone concerned with cybersecurity. Which should be everyone. Once mainly an email-based attack, phishing has developed into smishing (phishing via text) and vishing (phishing via phone call). What are the tell-tale signs of a phishing attack?
Hover, don’t click.
The following text is an excerpt from an actual phishing message from last winter:
Notice: You have to appear in court on 18th January 2018. Copy of the Court Notice is attached to this email. Please click here and read it thoroughly.
Ignoring the grammatical mistakes in this email, one clear phishing trademark remains: the link. You should always hover your mouse over a link to see the url. On a mobile device, you can tap and hold on the link to view the url. Does it look legitimate? In this case, the link directed you to an earthlink.net address, which is not what the court system uses.
Who sent the message?
In the example above, the email was sent from an @philasd address – the Philadelphia school system. How likely is it that you would receive a notice to appear in court from someone in the Philly school system? Hint: not at all.
In a similar vein, it’s wise to verify the identity of the sender. If you receive a text from your aunt asking to wire her money or a message from your boss telling you to transfer money to a bank, contact the person another way. Call them and make sure they really sent that message.
Watch out for passwords.
If someone is asking for a password or PIN number, be it via email, text, or phone call, do not give it to them. Your bank will never as for your PIN. ITS will never ask for your password. You may even get calls from people claiming to be the IRS. While these may seem especially scary, the IRS sends documents via mail. They do not call people.
Trust your gut.
Does the message that you got feel…wrong? Trust your instincts. Beware of scare tactics. If a message seems very frightening, it’s probably not real. Take a moment and review the available information. Does it feel “real?” If in doubt, you can contact the help desk at firstname.lastname@example.org or ex. 3333.
Remember to report any phishing messages using the Phishing Alert Button.
Adapted from Educause.