Fight The Phish
Phishing attacks occur when a bad actor sends fake emails or text messages in an attempt to get victims to disclose sensitive information. While not every unsolicited email is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it's legitimate. According to the Verizon Data Breach Report, phishing attacks account for more than 80% of reported security incidents.
Here at OHIO, we provide multiple resources to help identify phishing messages and prevent our community from falling victim to scams.
Identifying malicious emails
-
Unsolicited. Be cautious of emails that you were not expecting to receive.
-
Too good to be true. If it sounds too good to be true, it probably is. Part-time job scams often offer to pay an exorbitant amount of money for a simple task.
-
Asking for personal or financial information. Report emails asking for personal information.
-
Deceptive web links. Hover your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
-
Variations of legitimate addresses. For example, an email address ending in @ohio-edu.org instead of @ohio.edu.
-
Fake senders address. Click the sender's name to view the email address.
-
Requesting urgency. The intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
-
Fraudulent sites often don't start with HTTPS. The s stands for secure. Never sign into websites that are not using HTTPS.
- Misspelled words and bad grammar. Phishing emails often contain misspellings and grammar issues.
Types of phishing messages
- Email impersonation or spoofing is a forgery of a message so it appears to have originated from a legitimate sender. This is a popular tactic by attackers since the recipient is more likely to open a message from a familiar source. These attacks often turn into gift card scams where the attacker influences the individual to buy gift cards.
- Part-time job scams often target college students or alumni who may be searching for job opportunities. These scams are fake job offers that are usually too good to be true, offering high wages for little work. Be wary of any unsolicited emails with this characteristic, especially ones that send a check prior to you beginning any work. The scammer often will request you to wire a portion of the check back to them, and you will lose that amount of money.
- Emails tagged as malware have been identified to contain a link or an attachment that directs your machine to install malicious software. Generally, malicious software can delete or steal personal information, slow down your computer, encrypt your files and hold them for ransom, or display unwanted advertisements.
- Extortion email messages threaten the recipient and demand a payment, often in the form of a cryptocurrency like Bitcoin. A popular extortion category is known as sextortion, where the attacker will claim they have malware installed on your computer that captured embarrassing photos of you. Attackers may also leverage previously breached credentials for services tied to your email address to provide a level of authenticity to their message.
- Vishing is a type of social engineering attempt that takes place over the phone. A random number or spoofed phone number calls and a bad actor attempts to collect valuable personal information by claiming they are a debt collector or other type of customer service representative.
Additional phishing resources
- The Phish Bowl is where Information Security Analysts post the latest, wide-spread phishing messages the University receives.
- Online IT Security Training is free training that teaches the community tips and tricks on how to spot phishing messages.
- Follow these email best practices to avoid crafting emails that appear to be phishing.
- Request a simulated phishing exercise facilitated by the Information Security Office for your department.