Week 3: Don't Get Phished!
Topic: Phishing
According to data released by the FBI’s Internet Crime Complaint Center (IC3) in its 2019 Internet Crime Report, 467,361 phishing-related complaints were received in 2019 -- an average of nearly 1,300 every day. These complaints resulted in more than $3.5 billion in losses to individual and business victims. The most frequent category of internet crime reported was phishing.
Phishing is a type of social engineering that often comes in the form of an email or text appearing to be from a trusted source but are, instead, from criminals attempting to trick you into divulging personal information.
There are many variations of phishing. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:
- Phishing: It is a term used to describe fraudulent e-mail messages that masquerade as a bank, credit card company, or retailer asking you to provide personal data through a web page.
- Spear phishing: This is a targeted attack that purports to come from someone with authority, often targeting those who can conduct financial transactions on behalf of your organization.
- Whaling: Whaling attacks target one person, typically a highly placed executive, in order to steal money or gain sensitive information.
- Smishing: Phishing attacks via SMS text messages. These scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with smishing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
Beware the Dangers of Phishing:
A TikTok phishing story in two parts.
Tools and Tips
- KNOW THE SIGNS. Does the message/phone call start with vague information, a generic company name, like "card services,", include an urgent request, have poor grammar and misspellings, and/or include an offer that seems impossibly good? Hang up or click that delete button.
- CHECK THE URL. Be certain that the site you are on is legitimate before entering your username and password, particularly if you were led to the site after clicking on a link via an email or text.
- DON’T GET HOOKED. For any unexpected messages from known contacts, reach out to that contact using another verified method (such as a phone call to a known number) to confirm the message's authenticity. This is an especially important action if there is a link, attachment, or money request involved.
- DON’T ENGAGE. Do not engage with scammers if they phone you, even if you want to tell them that you know it’s a scam. Just hang up immediately.
- BE AWARE, DON’T SHARE. Do not divulge any personal information unless you have verified the source is legitimate. When in doubt, opt out.
How Do I Report Phishing Emails?
If you receive a phishing email, please forward the message to [email protected]. Do not attempt to open any links, do not download any attachments, and do not reply to the message.
After reporting to [email protected], you can report phishing directly to Google if you are using the Gmail interface by doing the following:
- Sign in to Gmail.
- Open the message you would like to report.
- Click the triple-dot icon next to “Reply”, located at the top-right of the message pane.
- Select “Report Phishing”.
Resources
Visit the IT Security Office Phishing webpage to see other examples of phishing emails and the 2020 SDSU Cybersecurity Awareness Month website for further information. In addition,
Be sure to follow ITSO on TikTok, Twitter @SDSUITSO, and retweet #BeCyberSmart #CyberSecurityAwarenessMonth.