Phishing is a “social engineering” attack where malicious individuals send carefully crafted email messages to manipulate recipients into doing things that they shouldn’t. These bad actors often use fear, urgency, or the promise of rewards to pressure people into making hasty or poorly-considered decisions. Their ultimate aim is usually to defraud their targets of money or obtain private information like login credentials. While email service providers are constantly improving their phishing detection, the threat actors likewise improve their methods to evade these controls. This is why it is critical that email users be equipped to recognize and appropriately respond to phishing attempts. Here are key characteristics of messages you can trust:
- Familiar Sender: The sender should be someone you know and expect to receive messages from.
- Correct Email Address: The email address is the sender’s genuine address.
- Valid Domain: The domain part of the email address (the portion following the “@” symbol) matches the sender’s organization. Business correspondence should not be coming from Gmail or some other free mail service.
- Safe Links: When hovering your cursor over any hyperlinks within the message, ensure the links correspond to known, reputable websites.
Look out for impersonation attempts. Threat actors will often create a Gmail or other free mail account and set the display name to that of a person you know. They hope you will not notice that this is from an unfamiliar email address or assume this was an innocent mistake and the sender accidentally sent the message from their personal account. Do not respond to these messages. Confirm with the supposed sender that this message is genuine using a known good email address. Threat actors will also use genuine document-sharing services like Google Drive, Office365, and DropBox to bypass phishing filters. Like other impersonation attempts, they will change the display name to something familiar and you should similarly carefully examine the sender’s email address. If it is not what you are expecting, check with the sender using a known good communication method.
If you spot a phishing message, you might be inclined just to delete it or mark it as spam. However, you can help protect others by reporting it as phishing. Report phishing using the “Report phishing” menu item found in the menu in the upper right-hand corner of the Gmail message window. For more detailed information on how to report phishing, check out this short instructional video:
1 Minute on How to Report Phishing
Understand that threat actors are applying their methods to other platforms, such as social media, text messages, and phone calls. Today, a significant portion of social engineering attacks take the form of phone calls. If you receive a suspicious call requesting payment or sensitive information like social security numbers, bank account details, usernames, or passwords, hang up.
Phishing Simulation: The College is committed to performing four phishing simulations yearly, two in the spring and two in the fall. Our first exercise this fall will be this month, sometime between October 23 and 27. During this period look for a suspicious message delivered to your inbox and report it as you would any genuine phishing message. Feel free to work together with your teammates–this is what we want you to do with real malicious emails.