Week 4 (October 16-22) >> Phishing Attacks
What is phishing? Any attempt to get you to divulge confidential or other valuable information about yourself, others, or organizations you work for or represent. Phishing is usually accomplished today through e-mail, but it can be done over the phone or face to face. These types of scams are nothing new but have evolved to take advantage of the electronic communication explosion.
Many times these attempts seem innocent and in fact may "appear" to come from a legitimate source. These criminals are hoping to lure you and hook you not unlike real fisherman using enticing bait with a nasty hook. The scams propagated often prey on your fears, compassion, greed, trust, and any other human emotion or response that can be manipulated.
Phishing emails are not all someone posing as a Nigerian prince needing to stash his inheritance in your bank account. Phishing attacks are becoming more sophisticated and targeted. Some criminals are after a particular piece of information and may target an individual our group of individuals. They will research well and then craft a very particular communication. This type of attack is often called spear phishing.
Indicators of a phishing e-mail
- May have bad grammar
- May have poor spelling
- Tone of the email is characterized by urgency
- The e-mail may ask for personally identifiable information, usernames, or passwords
- The communication may contain a link to a phony webpage or phone number
- The e-mail may read like official communication, contain official logos, use legal jargon
- There may be an attachment in the email and you are being enticed to open it
- The e-mail is unexpected and is out of the norm of your normal communications
Tips
The e-mail address is not a good indication whether the e-mail is legitimate or not. Just because the email address says it is from your best friend, doesn't mean that your best friend sent you the email.
Even if you see your banks logo in the email it does not mean that the communication is from your bank. When in doubt contact your financial institution with a phone number that your received when setting up the account, NOT a phone number in the e-mail.
Any reputable organization will never ask you to verify your account by sending personal information via e-mail (username, password, SSN, credit card number, etc). When in doubt contact that organization directly using a trusted phone number, or visit the organizations web site and login as you normally would to check the status of your account.
Never click on links in a suspicious e-mail. Instead open a browser and type in the URL manually.
Act immediately if you have been hooked by a phisher. Contact the FTC's ID Theft Clearinghouse http://www.consumer.gov/idtheft or 877-438-4338. Report fraud to the National Consumers League http://www.fraud.org.
Phishing simulation
Phishing simulation with education from Pacific Northwest National Laboratory (U.S. Dept of Energy) http://www.pnl.gov/coginformatics/showcase/simulation/phishing/phishing.html
