Phishing

Protect Against Phishing

phish

Phishing is a form of social engineering. Phishing scams appear to originate from a trusted source to trick a user into entering valid credentials or attempt to lure you into revealing your username, password, and other personal identifying information (PII), or clicking on a malicious attachment.

Attackers can use this information to:

  • Steal money from victims (modify direct deposit information, drain bank accounts)
  • Perform identity theft (run up charges on credit cards, open new accounts)
  • Send spam from compromised email accounts
  • Use your credentials to access other campus systems, attack other systems, steal University data, and jeopardize the mission of the campus

How Do I Report Phishing Emails?

  1. If you receive a Phishing Email:
  2. After reporting to [email protected], If you are using the Gmail interface, you can report phishing directly to Google:
    1. Sign in to Gmail.
    2. Open the message you'd like to report.
    3. Click the triple-dot icon next to Reply, at the top-right of the message pane.
    4. Select Report phishing.
  3. Delete emails and messages that ask you to confirm or provide personal information.
  4. Do not reply, click on the links, or provide any sensitive information / user credentials.

How Do I Spot Phishing Scams?

Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:

  1. Message indicates urgent action is needed
  2. Message indicates negative consequences will occur if action is not taken
  3. Message is not expected
  4. Message sender is not known or a forged (spoofed) account
  5. Message cannot be read without opening an attachment
  6. Message requests sensitive information be sent
  7. Message directs users to "click here"
  8. Message uses poor grammar and/or spelling
  9. Sender from: name does not match message signature
  10. Sender email address does not match organization name
  11. Sender email address is not the same as the real address
  12. Sender name is not listed in the campus directory

Anatomy of a Phishing Email

Most phishing scams have a number of common components. Here are examples of phishing scams that might hit your inbox.

Phishing Email Sample - WHO Internship

Applications are invited for the World Health Organizations (WHO)1 Internship Program 20202. Work hours are 4-6 hours each week and pay is $350 / week3. It offers a wide range of opportunities for students and staff of colleges in the USA to gain insight in the technical and administrative programs of WHO. Prior work experience isn’t needed.. Kindly Click Here4 to apply or forward this to anybody that might be interested in the program.

Good luck & Best Regards.

Key:

1. Fraud schemes often associate with legitimate organizations.
2. Fake employment offer.
3. Promise of payment is often a trick.
4. Don't click! Hovering your cursor over the link will likely reveal a bogus site.

Phishing Email Sample - UNICEF Internship

Hello,

Just to touch base with you1 and let you know that there is a 3 month part-time job internship2 with UNICEF3. It’s a work from home job and perfect for students and staff. Flexible Part-Time Job, Earn up to $300 weekly4. Get more details and apply below:

APPLY HERE WITH UNICEF INTERNSHIPS5

Regards.

Key:

1. Be suspicious of unsolicited or unexpected offers.
2. Fake employment offer.
3. Fraud schemes often associates with legitimate organizations.
4. Promise of payment is often a trick.
5. Don't click! Hovering your cursor over the link will likely reveal a bogus site.

Phishing Email Sample - Financial Scam

—-------- Forwarded message —--------
From: Spoofed Name<[email protected]>1
Date: Thu, Feb 13, 2020 at 12:45 PM
Subject: Re: Urgent follow up2
To: Legitimate Person <[email protected]>

Ok. I’ll be having a busy day, i need 10 pieces of Amazon card $100 face value each , I need to get the physical card then you scratch the card take a picture of the card pin, attach and email it to me or order online from the amazon store online3. How soon can you get this done?

Regards
Spoofed Signature4

Key:

1. Spoofed Email.
2. Sense of Urgency.
3. The Scam.
4. Spoofed Signature.

Phishing Email Sample - Spoofed Contact

—-------- Forwarded message —--------
From: San Diego State university<[email protected]>1
Date: Wed, Mar 25, 2020 at 10:09 PM
Subject: Changes on Staff Pay and Benefits2
To:

Dear colleagues,

There is an urgent update3 about the staff pay and benefits for the month of march4 kindly check the HR information page5 for more detail information.

Fake Signature Block6
San Diego State University
San Diego,
California
92182

Attachment7

Key:

1. Spoofed Email Address.
2. Legitimate Subject.
3. Sense of Urgency and Account Status Threat.
4. Bad Grammar and Typos.
5. Fake URL.
6. Fake Signature Block.
7. Suspicious Attachment.

Getting Support

If you believe that your system or account has been compromised, please Report an Incident to [email protected]

Get Help

To request a service, create a ServiceNow Ticket and assign the ticket to “IT-ITSO-Help Desk”. Connect with us at [email protected] for security-related-questions, consulting, and incident reporting.

IT Security Office
Administration Building

Report an Incident

Please contact the Information Security team immediately if you experience or are aware of any of the following: