Phishing and Other Scams

Cybercriminals use many types of social engineering as the most common way to steal information and money. Social engineering—manipulating people into doing what they want—is at the heart of all types of phishing attacks, including those conducted via email, SMS, and phone calls.

Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for the traditional, mass emailed phishing attack, as well as other variants as listed below. If you encounter a suspicious-looking email, please mark it as spam or phishing. This helps Google better detect illicit messages in the future. To learn how to report a phishing email in Google, and other phishing information, you can visit this Google Support Article.

If you have responded to phishing emails with your LakerApps account, or you feel like your email account has been tampered with, please reset your password immediately! Reach out to the CTS Help Desk with any concerns or questions at [email protected] or 315-312-3456.

Reset your password

Phishing

A phishing email is a scam by which a person is tricked into doing something that they normally would not, through the medium of email. Attackers send phishing emails for a variety of goals, but often, they are trying to steal confidential information (usernames and password combos, credit card information), infect your computer with malware, or trick you into authorizing fraudulent payments. The latter is becoming increasingly common, in fact – this type of scam is usually called ‘spear phishing,’ and involves a personalized, well-researched approach against the victim. Spear phishing campaigns usually target employee tax information, and changing vendor payment information (so that payments go to the attacker instead), but the possibilities are endless.

Even though Campus Technology Services and other legitimate entities would never ask for any personal or sensitive information over an email, there are a couple of things to keep in mind when faced with emails like this:

Always check the address from the sender, not just the name.
Always hover over links included in the emails to see where they will take you.
Always be suspicious of unexpected email attachments and requests for sensitive information.
Always verify the validity of a suspicious email via a different means of communication, like a phone call.

Spear Phishing or Whaling

This involves very well-crafted messages that look like they come from a trusted VIP source. These scams often target those who can conduct financial transactions on behalf of your organization (sometimes called "whaling"). Another well-known tactic involves requests to purchase gift cards, and then sending the card information and the exposed PIN to the attacker via text, picture message, or email.

Smishing

Phishing attacks via SMS are scams attempting to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.

Vishing

Voice phishing are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with smishing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

Don't react to scare tactics

These types of attacks are dependent on scaring the recipient into taking action. You may be told that you are involved with a lawsuit, your computer is full of viruses, your job may be in jeopardy, you will appear incompetent in front of higher-ups, and so on. Don't fall for it!

Verify contacts independently

Financial transactions should always follow a defined set of procedures, including a way to verify the legitimacy of an email or phone call. Get contact information and verify it through the company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company.

Know the signs

Scam messages and phone calls often contain very vague inforamtion, including a generic company name, such as "Card Services." You may be told this is a very urgent request and you need to respond now. And often, the offer seems too good to be true. Hang up or hit that delete button.

Resources

Determining what is a phishing email and what is not can be difficult. But like any skill, spotting a phish can get easier if you practice. With that in mind, we’ve gathered some resources that will help you learn to identify even the cleverest of phishing emails. Share these resources with employees and colleagues, or use them to inform your awareness strategy.

Articles

Learn how to report a phishing email in Google with this Google Support Article
Review the Digital Guardian phishing infographic
Learn more about hacked accounts from the National Cyber Security Alliance
Read this Better Business Bureau Tip on Phishing Scams
Read the FCC article on Avoiding the Temptation of Smishing Scams
The FTC provides more information for consumers about phone scams and how to spot them

Examples

Seeing real-world examples of phishing emails is another way to become familiar with phishing tactics. Take a look at these collections of phishing emails from other higher education institutions:

Quizzes

These quizzes are excellent preparation for spotting the next “phish hook” before it catches you. Note that these are third party sites, so you may be asked for an email address or other information, but you do not have to provide it.