Recognizing and Reporting Phishing
With the increased use of online resources to conduct school and work, phishing messages are a common occurrence in today’s world. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages in an attempt to get individuals to disclose sensitive information through their replies or by clicking on links. While not every unsolicited email is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it's legitimate. According to the Verizon Data Breach Report (2020), phishing attacks account for more than 80% of reported security incidents.
To help illustrate the dangers of phishing read the following story. The story is then followed with tips for identifying and reporting malicious communications.
Falling for the Bait
Mackenzie is a staff member at Ohio University. On a Friday afternoon, she checks her email before leaving work. At the top of her inbox, she finds a new email titled ‘PAYROLL – RAISE INFORMATION.’ In the email, the signature says it is from Human Resources and includes a link for her to log in to My Personal Information to check her raise amount. Mackenzie is not expecting a raise and needs to leave work soon to go feed her cats, so she quickly clicks on the link. The link takes her to a site that looks much like OHIO’s multi-factor authentication webpage. Mackenzie enters her email and password, and submits the authentication numbers on her phone app. The link then redirects her to a weird site, but at this point, it is after 5 p.m. and she needs to leave.
When Mackenzie arrives at work on Monday, she remembers the email about her raise and goes to check her inbox. She is unable to log in. Mackenzie calls the OIT Service Desk and finds out that her account had been compromised. When she entered her credentials and approved the authentication, she gave a bad actor full access to her OHIO account. This attacker was then able to send hundreds of emails to Ohio University students with a part-time job offer from Mackenzie’s email address. One of the students reported the job scam to the Information Security Office and Mackenzie’s account was then disabled. Fortunately for Mackenzie, she does not reuse passwords, so the bad actor was not able to access any of her other accounts.
Identifying Malicious Emails
Once Mackenzie changed her password and was able to access her account, she opened the email titled ‘PAYROLL – RAISE INFORMATION’ again. This time, she spots that the sender’s email address came from a Gmail account and not HR’s official ohio.edu address. She then hovers over the link for My Personal Information and sees that the URL is not the correct link to the appropriate webpage. Once she slowed down and truly looked at the email, she was able to identify it as a phishing message.
Here are some additional characteristics of a phishing message that she could have looked for:
Unsolicited. Be cautious of emails that you were not expecting to receive.
Too good to be true. If it sounds too good to be true, it probably is. Part-time job scams often offer to pay an exorbitant amount of money for a simple task.
Asking for personal or financial information. Report emails asking for personal information.
Deceptive web links. Hover your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
Variations of legitimate addresses. For example, an email address ending in @ohio-edu.org instead of @ohio.edu.
Fake senders address. Click the sender's name to view the email address.
Requesting urgency. The intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
Fraudulent sites often don't start with HTTPS. The "s" stands for secure. Never sign into websites that are not using HTTPS.
Misspelled words and bad grammar. Phishing emails often contain misspellings and grammar issues.
If Mackenzie was unsure if this was a phishing message, she could have checked out The Phish Bowl, where the Information Security Office posts the latest, wide-spread phishing messages the University receives. The Phish Bowl also includes legitimate messages that people might have questions about.
If Mackenzie did not see ‘PAYROLL – RAISE INFORMATION’ on the Phish Bowl, she should have reported the suspected phishing message to the Information Security Office by emailing email@example.com. When reporting a phishing message, please forward the email as an attachment(opens in a new window).
Once the phishing message has been reported, no links should be clicked (even to unsubscribe) and no responses should be sent. Simply delete the message.
Additional Phishing Resources
Here at OHIO, the Information Security Office provides multiple resources to help identify phishing messages and prevent our community from falling victim to scams. Be sure to check out the resources below!
Online IT Security Training is free training that teaches the community tips and tricks on how to spot phishing messages.
Follow these email best practices to avoid crafting emails that appear to be phishing.
Request a simulated phishing exercise facilitated by the Information Security Office for your team or department.