Recognizing and Reporting Phishing
With the increased use of online resources to conduct school and work, phishing messages are a common occurrence in today’s world. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages in an attempt to get individuals to disclose sensitive information. While not every unsolicited email is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it's legitimate. According to the Verizon Data Breach Report, phishing attacks account for more than 80% of reported security incidents.
Identifying malicious emails
Be on the look out for the following characteristics that can help you identify phishing messages:
- Unsolicited. Be cautious of emails that you were not expecting to receive.
Too good to be true. If it sounds too good to be true, it probably is. Part-time job scams often offer to pay an exorbitant amount of money for a simple task.
Asking for personal or financial information. Report emails asking for personal information.
Deceptive web links. Hover your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
Variations of legitimate addresses. For example, an email address ending in @ohio-edu.org instead of @ohio.edu.
Fake senders address. Click the sender's name to view the email address.
Requesting urgency. The intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
Fraudulent sites often don't start with HTTPS. The "s" stands for secure. Never sign in to websites that are not using HTTPS.
Misspelled words and bad grammar. Phishing emails often contain misspellings and grammar issues.
Types of phishing messages
Email impersonation or spoofing is a forgery of a message so it appears to have originated from a legitimate sender. This is a popular tactic by attackers since the recipient is more likely to open a message from a familiar source. These attacks often turn into gift card scams where the attacker influences the individual to buy gift cards.
Part-time job scams often target college students or alumni who may be searching for job opportunities. These scams are fake job offers that are usually too good to be true, offering high wages for little work. Be wary of any unsolicited emails with this characteristic, especially ones that send a check prior to you beginning any work. The scammer often will request you to wire a portion of the check back to them, and you will lose that amount of money.
Emails tagged as malware have been identified to contain a link or an attachment that directs your machine to install malicious software. Generally, malicious software can delete or steal personal information, slow down your computer, encrypt your files and hold them for ransom, or display unwanted advertisements.
Extortion email messages threaten the recipient and demand a payment, often in the form of a cryptocurrency like Bitcoin. A popular extortion category is known as sextortion, where the attacker will claim they have malware installed on your computer that captured embarrassing photos of you. Attackers may also leverage previously breached credentials for services tied to your email address to provide a level of authenticity to their message.
Vishing is a type of social engineering attempt that takes place over the phone. A random number or spoofed phone number calls and a bad actor attempts to collect valuable personal information by claiming they are a debt collector or other type of customer service representative.
Before reporting a phishing message, be sure to check out The Phish Bowl, where the Information Security Office posts the latest, wide-spread phishing messages the University receives. Suspected phishing messages should be reported to the Information Security Office by emailing firstname.lastname@example.org. When reporting a phishing message, please forward the email as an attachment.
Additional phishing resources
Here at OHIO, the Information Security Office provides multiple resources to help identify phishing messages and prevent our community from falling victim to scams. Be sure to check out the resources below!
- The Phish Bowl is where Information Security Analysts post the latest, wide-spread phishing messages the University receives.
- Online IT Security Training is free training that teaches the community tips and tricks on how to spot phishing messages.
- Follow these email best practices to avoid crafting emails that appear to be phishing.
- Request a simulated phishing exercise facilitated by the Information Security Office for your team or department.