Phishing
A phishing email is a scam by which a person is tricked into doing something that they normally would not, through the medium of email. Attackers send phishing emails for a variety of goals, but often, they are trying to steal confidential information (usernames and password combos, credit card information), infect your computer with malware, or trick you into authorizing fraudulent payments. The latter is becoming increasingly common, in fact – this type of scam is usually called ‘spear phishing,’ and involves a personalized, well-researched approach against the victim. Spear phishing campaigns usually target employee tax information, and changing vendor payment information (so that payments go to the attacker instead), but the possibilities are endless.
Even though Campus Technology Services and other legitimate entities would never ask for any personal or sensitive information over an email, there are a couple of things to keep in mind when faced with emails like this:
- Always check the address from the sender, not just the name.
- Always hover over links included in the emails to see where they will take you.
- Always be suspicious of unexpected email attachments and requests for sensitive information.
- Always verify the validity of a suspicious email via a different means of communication, like a phone call.
Spear Phishing or Whaling
This involves very well-crafted messages that look like they come from a trusted VIP source. These scams often target those who can conduct financial transactions on behalf of your organization (sometimes called "whaling"). Another well-known tactic involves requests to purchase gift cards, and then sending the card information and the exposed PIN to the attacker via text, picture message, or email.
Smishing
Phishing attacks via SMS are scams attempting to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
Vishing
Voice phishing are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with smishing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks: